CVE-2025-11380 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin. The flaw arises from the absence of a capability check on the 'everest_process_status' AJAX action, which is accessible without authentication. This allows unauthenticated attackers to query the status of backup processes and retrieve the locations of backup files. Since backup files often contain comprehensive data snapshots, including sensitive user and site information, unauthorized access to these files can lead to significant data exposure. The vulnerability requires that a backup operation is actively running for the attacker to obtain the backup location information. The CVSS v3.1 base score is 5.9 (medium), reflecting the network attack vector, high complexity, no privileges required, no user interaction, and high confidentiality impact but no integrity or availability impact. No patches or known exploits are currently reported, but the risk remains due to the sensitive nature of backup data and the ease of exploitation once a backup is running. This vulnerability affects all plugin versions up to 2.3.5, indicating a broad impact surface for sites using this plugin. The plugin is used primarily in WordPress environments, which are widely deployed globally, especially in small to medium businesses and content management systems.

The primary impact of CVE-2025-11380 is unauthorized disclosure of sensitive backup data, which can include user information, website content, configuration files, and potentially credentials or API keys stored within backups. This exposure can lead to privacy violations, data breaches, and further exploitation if attackers use the backup data to identify additional vulnerabilities or gain deeper access. Since the vulnerability does not affect integrity or availability, it does not directly enable data modification or service disruption. However, the confidentiality breach alone can have severe consequences, including regulatory penalties and reputational damage. Organizations relying on this plugin for backup and migration services are at risk, especially if backups contain sensitive or regulated data. The requirement that a backup process be running limits the window of opportunity but does not eliminate risk, as backups are often scheduled or triggered regularly. The lack of authentication requirement and the network accessibility of the AJAX endpoint increase the threat level. Given WordPress's extensive global use, the vulnerability could affect a wide range of organizations, from small businesses to large enterprises, particularly those that have not updated the plugin or implemented compensating controls.

To mitigate CVE-2025-11380, organizations should immediately update the Everest Backup plugin to a version that includes proper authorization checks once available. Until a patch is released, administrators should consider disabling or restricting access to the 'everest_process_status' AJAX action by implementing web application firewall (WAF) rules that block unauthenticated requests to this endpoint. Restricting access to backup files and directories at the web server level using access control lists or .htaccess rules can prevent unauthorized downloads even if backup locations are disclosed. Scheduling backups during low-traffic periods and monitoring backup process activity can reduce the attack window. Additionally, organizations should audit backup contents to ensure no sensitive credentials or unnecessary data are stored. Employing network segmentation and limiting public exposure of WordPress admin AJAX endpoints can further reduce risk. Regular security assessments and monitoring for unusual access patterns to backup files or AJAX endpoints are recommended. Finally, educating site administrators about the risks and ensuring timely plugin updates are critical to maintaining security.