CVE-2025-15041 is a vulnerability classified under CWE-862 (Missing Authorization) found in the BackWPup – WordPress Backup & Restore Plugin, a widely used WordPress plugin for backup management. The flaw exists because the save_site_option() function lacks proper capability checks, allowing authenticated users with at least level access (such as contributors or editors) to modify arbitrary site options. This missing authorization enables attackers to escalate privileges by changing critical settings like the default user role for new registrations to 'administrator' and enabling user registration. Consequently, an attacker can create new administrative accounts without needing higher privileges initially. The vulnerability affects all versions up to 5.6.2 and does not require user interaction, but it does require the attacker to be authenticated with some level of access. The CVSS v3.1 score of 7.2 reflects a high severity due to the network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk of complete site compromise if exploited. The plugin’s widespread use in WordPress environments makes this a critical issue for website administrators and security teams to address.

For European organizations, this vulnerability poses a substantial risk, especially for those relying on WordPress sites with the BackWPup plugin installed. Successful exploitation can lead to full administrative control over affected websites, allowing attackers to manipulate content, steal sensitive data, deploy malware, or disrupt services. This can result in reputational damage, data breaches involving personal data protected under GDPR, and operational downtime. Organizations in sectors such as e-commerce, government, healthcare, and media, which often use WordPress for public-facing websites, are particularly vulnerable. The ability to escalate privileges from lower-level authenticated users means that even compromised or less privileged accounts can be leveraged for a full site takeover. This elevates the threat landscape for European entities, increasing the likelihood of targeted attacks or opportunistic exploitation by cybercriminals. Additionally, the lack of public exploits currently does not diminish the urgency, as attackers may develop exploits rapidly once the vulnerability is widely known.

To mitigate this vulnerability, European organizations should immediately update the BackWPup plugin to a version that includes the necessary authorization checks once available. Until a patch is released, organizations should restrict plugin access to only trusted administrators and disable user registration if not required. Implementing strict role-based access controls (RBAC) within WordPress to limit the number of users with editing or higher privileges can reduce the attack surface. Monitoring and auditing changes to site options and user roles can help detect suspicious activity early. Employing Web Application Firewalls (WAFs) with custom rules to block unauthorized attempts to invoke the save_site_option() function may provide temporary protection. Additionally, organizations should enforce strong authentication mechanisms and consider multi-factor authentication (MFA) for all users with elevated privileges. Regular backups and incident response plans should be reviewed and tested to ensure rapid recovery in case of compromise.