CVE-2025-11380 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin, affecting all versions up to 2.3.5. The flaw arises from the absence of a capability check on the 'everest_process_status' AJAX action, which is accessible without authentication. This allows unauthenticated attackers to query the status of backup processes and retrieve the locations of backup files if a backup is currently running. Since backup files often contain sensitive data, unauthorized access to their locations can lead to data leakage. The vulnerability does not permit modification or deletion of backups, limiting the impact to confidentiality. Exploitation requires no user interaction and can be performed remotely over the network, but the attack complexity is high because a backup must be actively running during the attack. No patches are currently linked, and no known exploits have been observed in the wild. The CVSS v3.1 score is 5.9, reflecting medium severity with a vector indicating network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of backup file locations, potentially exposing sensitive business or customer data contained within backups. Organizations relying on the Everest Backup plugin for WordPress sites that are publicly accessible are at risk, especially if backups are running during the attack window. The exposure of backup file locations could facilitate further attacks, such as targeted file downloads or exploitation of backup storage misconfigurations. While the vulnerability does not allow data modification or service disruption, the confidentiality breach could lead to regulatory compliance issues under GDPR, reputational damage, and potential financial penalties. The medium severity score reflects that while exploitation is possible remotely without authentication, the requirement for a running backup and high attack complexity reduce the likelihood of widespread impact. However, organizations with frequent or automated backup schedules may be more vulnerable due to increased attack windows.

Organizations should immediately audit their WordPress installations to identify the presence of the Everest Backup plugin and its version. Until an official patch is released, administrators should consider disabling the plugin or the vulnerable AJAX action if feasible. Restricting access to the 'everest_process_status' AJAX endpoint via web application firewall (WAF) rules or IP whitelisting can reduce exposure. Monitoring backup processes and logs for unusual access patterns is recommended. Additionally, securing backup storage locations with proper access controls and ensuring backups are encrypted at rest will mitigate the impact of any unauthorized access. Regularly updating WordPress plugins and subscribing to vulnerability advisories from the vendor and security communities will help ensure timely patching once available. Finally, organizations should review their backup schedules to minimize the time windows when backups are running and vulnerable.