CVE-2025-14944: CWE-862 Missing Authorization in inisev BackupBliss – Backup & Migration with Free Cloud Storage
The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion.
AI Analysis
Technical Summary
The BackupBliss – Backup & Migration with Free Cloud Storage WordPress plugin suffers from a missing authorization vulnerability (CWE-862) in all versions up to 2.0.0. The 'initializeOfflineAjax' function lacks proper capability checks and nonce verification, relying instead on hardcoded tokens publicly visible in the plugin's JavaScript code. This flaw enables unauthenticated attackers to invoke backup upload queue processing endpoints, which may lead to unintended backup transfers to cloud storage and resource exhaustion. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity), with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts availability only. No patches or official fixes have been published as of the vulnerability disclosure date.
Potential Impact
The vulnerability allows unauthenticated attackers to trigger backup upload queue processing, which can cause unexpected backup transfers to configured cloud storage targets and potentially lead to resource exhaustion on the affected system. There is no direct confidentiality or integrity impact reported. The availability impact is rated as low but could disrupt normal backup operations or degrade system performance.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or restricting access to the vulnerable plugin functionality if possible. Monitoring for unusual backup activity and limiting exposure of the plugin's JavaScript files may reduce risk, but no vendor-provided mitigation or temporary fix is currently documented.
CVE-2025-14944: CWE-862 Missing Authorization in inisev BackupBliss – Backup & Migration with Free Cloud Storage
Description
The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The BackupBliss – Backup & Migration with Free Cloud Storage WordPress plugin suffers from a missing authorization vulnerability (CWE-862) in all versions up to 2.0.0. The 'initializeOfflineAjax' function lacks proper capability checks and nonce verification, relying instead on hardcoded tokens publicly visible in the plugin's JavaScript code. This flaw enables unauthenticated attackers to invoke backup upload queue processing endpoints, which may lead to unintended backup transfers to cloud storage and resource exhaustion. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity), with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts availability only. No patches or official fixes have been published as of the vulnerability disclosure date.
Potential Impact
The vulnerability allows unauthenticated attackers to trigger backup upload queue processing, which can cause unexpected backup transfers to configured cloud storage targets and potentially lead to resource exhaustion on the affected system. There is no direct confidentiality or integrity impact reported. The availability impact is rated as low but could disrupt normal backup operations or degrade system performance.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or restricting access to the vulnerable plugin functionality if possible. Monitoring for unusual backup activity and limiting exposure of the plugin's JavaScript files may reduce risk, but no vendor-provided mitigation or temporary fix is currently documented.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-19T00:55:56.950Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d534e5aaed68159a357dbd
Added to database: 4/7/2026, 4:46:29 PM
Last enriched: 4/7/2026, 5:02:03 PM
Last updated: 4/8/2026, 12:44:18 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.