CVE-2025-10579 is a vulnerability classified under CWE-862 (Missing Authorization) found in the BackWPup – WordPress Backup & Restore Plugin, which is widely used for managing backups in WordPress environments. The flaw arises from the absence of a proper capability check on the 'backwpup_working' AJAX action, allowing any authenticated user with at least Subscriber-level privileges to access the filename of a backup file while a backup process is running. Although the vulnerability does not directly expose backup contents or allow modification, the disclosure of backup filenames can be leveraged by attackers to conduct targeted brute force attacks against backup files, particularly in server environments like NGINX where certain access controls might be bypassed or misconfigured. The vulnerability affects all versions up to and including 5.5.0 of the plugin. The CVSS v3.1 base score is 5.3, indicating a medium severity level, with the vector highlighting network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, and no impact on integrity or availability. No patches or known exploits are currently available, but the risk lies in the potential for information disclosure that could facilitate further attacks. The vulnerability is significant because backup files often contain sensitive data, and unauthorized access to backup filenames can be a stepping stone to more severe breaches if combined with other weaknesses or misconfigurations.

For European organizations, the impact of this vulnerability primarily concerns confidentiality. Exposure of backup filenames can aid attackers in identifying valuable backup files to target for brute force or other attacks, potentially leading to unauthorized access to sensitive data contained within backups. Organizations relying on BackWPup for WordPress backup management and hosting public-facing WordPress sites are at risk, especially if they allow Subscriber-level users or higher to authenticate on their sites. This risk is heightened in environments where web server configurations (e.g., NGINX) may inadvertently allow easier access to backup files once their names are known. The vulnerability does not directly impact system integrity or availability but can lead to data breaches if exploited in combination with other vulnerabilities or weak backup file protections. Given the widespread use of WordPress across Europe, especially among SMEs and public sector entities, this vulnerability could facilitate targeted attacks against critical data repositories. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

European organizations should immediately verify if they use the BackWPup plugin and identify the plugin version. Since no official patch links are provided, organizations should monitor vendor announcements for patches and apply them promptly once available. In the interim, restrict Subscriber-level and higher user permissions to only trusted users to minimize the risk of exploitation. Implement web server-level access controls to protect backup directories and files, ensuring that backup files are not publicly accessible or exposed via predictable URLs. Employ strong authentication and monitoring to detect unusual access patterns to backup-related AJAX endpoints. Consider disabling or restricting the 'backwpup_working' AJAX action if feasible, or implement custom capability checks via WordPress hooks to enforce authorization. Regularly audit backup storage locations and ensure backups are encrypted and stored securely. Additionally, review and harden NGINX or other web server configurations to prevent unauthorized file access based on filename enumeration.