CVE-2025-14944: CWE-862 Missing Authorization in inisev BackupBliss – Backup & Migration with Free Cloud Storage
CVE-2025-14944 is a medium severity vulnerability in the BackupBliss – Backup & Migration with Free Cloud Storage WordPress plugin up to version 2. 0. 0. The issue arises from missing authorization checks and lack of proper nonce verification in the 'initializeOfflineAjax' function. The plugin's endpoint relies on hardcoded tokens exposed in JavaScript, allowing unauthenticated attackers to trigger backup upload queue processing. This can lead to unexpected backup transfers to cloud storage targets and potential resource exhaustion. No official patch or remediation guidance is currently available.
AI Analysis
Technical Summary
The Backup Migration plugin for WordPress, BackupBliss, suffers from a missing authorization vulnerability (CWE-862) in all versions up to 2.0.0. Specifically, the 'initializeOfflineAjax' function does not perform capability checks or proper nonce verification. Instead, it validates requests using hardcoded tokens embedded in the plugin's JavaScript, which are publicly accessible. This flaw enables unauthenticated attackers to invoke the backup upload queue processing endpoint, potentially causing unintended backup operations and resource exhaustion. The vulnerability has a CVSS 3.1 base score of 5.3, indicating a medium severity level. There is no vendor advisory or patch available at this time.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets. This may lead to resource exhaustion on the affected system. There is no indication of confidentiality or integrity impact, only availability impact rated as low to medium. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or restricting access to the affected plugin functionality to prevent unauthorized triggering of backup processes. Monitor plugin updates from the vendor for a security patch addressing this missing authorization issue.
CVE-2025-14944: CWE-862 Missing Authorization in inisev BackupBliss – Backup & Migration with Free Cloud Storage
Description
CVE-2025-14944 is a medium severity vulnerability in the BackupBliss – Backup & Migration with Free Cloud Storage WordPress plugin up to version 2. 0. 0. The issue arises from missing authorization checks and lack of proper nonce verification in the 'initializeOfflineAjax' function. The plugin's endpoint relies on hardcoded tokens exposed in JavaScript, allowing unauthenticated attackers to trigger backup upload queue processing. This can lead to unexpected backup transfers to cloud storage targets and potential resource exhaustion. No official patch or remediation guidance is currently available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Backup Migration plugin for WordPress, BackupBliss, suffers from a missing authorization vulnerability (CWE-862) in all versions up to 2.0.0. Specifically, the 'initializeOfflineAjax' function does not perform capability checks or proper nonce verification. Instead, it validates requests using hardcoded tokens embedded in the plugin's JavaScript, which are publicly accessible. This flaw enables unauthenticated attackers to invoke the backup upload queue processing endpoint, potentially causing unintended backup operations and resource exhaustion. The vulnerability has a CVSS 3.1 base score of 5.3, indicating a medium severity level. There is no vendor advisory or patch available at this time.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets. This may lead to resource exhaustion on the affected system. There is no indication of confidentiality or integrity impact, only availability impact rated as low to medium. No known exploits are reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or restricting access to the affected plugin functionality to prevent unauthorized triggering of backup processes. Monitor plugin updates from the vendor for a security patch addressing this missing authorization issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-19T00:55:56.950Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d534e5aaed68159a357dbd
Added to database: 4/7/2026, 4:46:29 PM
Last enriched: 4/15/2026, 1:30:08 PM
Last updated: 5/23/2026, 3:43:21 AM
Views: 61
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.