Skip to main content

CVE-2025-28954: CWE-352 Cross-Site Request Forgery (CSRF) in wphobby Backwp

High
VulnerabilityCVE-2025-28954cvecve-2025-28954cwe-352
Published: Fri Jun 06 2025 (06/06/2025, 12:54:34 UTC)
Source: CVE Database V5
Vendor/Project: wphobby
Product: Backwp

Description

Cross-Site Request Forgery (CSRF) vulnerability in wphobby Backwp allows Path Traversal. This issue affects Backwp: from n/a through 2.0.2.

AI-Powered Analysis

AILast updated: 07/08/2025, 00:10:23 UTC

Technical Analysis

CVE-2025-28954 is a high-severity vulnerability classified as CWE-352, indicating a Cross-Site Request Forgery (CSRF) issue in the wphobby Backwp plugin. This vulnerability affects versions up to 2.0.2 of the Backwp product. The CSRF flaw allows an attacker to trick an authenticated user into submitting unauthorized requests to the vulnerable web application. In this case, the CSRF vulnerability is linked to a path traversal issue, which can enable an attacker to manipulate file paths on the server, potentially leading to denial of service or other disruptions. The CVSS 3.1 score of 7.4 reflects a network attack vector with low attack complexity, no privileges required, but requiring user interaction, and impacting availability with a scope change. The vulnerability does not impact confidentiality or integrity directly but can cause significant availability issues by exploiting path traversal via CSRF. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in March 2025 and published in June 2025. The combination of CSRF and path traversal is particularly dangerous because it leverages the victim's authenticated session to perform unauthorized actions that can disrupt service or manipulate server files indirectly.

Potential Impact

For European organizations using the wphobby Backwp plugin, this vulnerability poses a significant risk to website availability and operational continuity. Since Backwp is a WordPress plugin, organizations relying on WordPress for their web presence or internal portals could face service disruptions if attackers exploit this vulnerability. The path traversal aspect could allow attackers to cause denial of service or potentially interfere with backup or restoration processes managed by the plugin, impacting business continuity. Although confidentiality and integrity are not directly compromised, the availability impact can lead to downtime, loss of customer trust, and potential regulatory scrutiny under GDPR if service disruptions affect user data processing. The requirement for user interaction means phishing or social engineering could be used to exploit this vulnerability, increasing the risk in environments with less user security awareness. The lack of patches means organizations must act quickly to mitigate risk before official fixes are available.

Mitigation Recommendations

European organizations should immediately audit their WordPress installations to identify the presence of the wphobby Backwp plugin and its version. Until patches are released, the most effective mitigation is to disable or uninstall the Backwp plugin to eliminate the attack surface. If disabling is not feasible, organizations should implement strict Content Security Policy (CSP) headers and SameSite cookie attributes to reduce CSRF risks. Additionally, user training to recognize phishing attempts can reduce the likelihood of successful exploitation. Web Application Firewalls (WAFs) should be configured to detect and block suspicious requests that attempt path traversal or unusual POST requests to the plugin endpoints. Monitoring logs for anomalous activity related to Backwp plugin endpoints can provide early detection. Finally, organizations should prepare for rapid patch deployment once a fix is available and consider isolating critical WordPress instances from public access where possible.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-03-11T08:10:12.306Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6842edda71f4d251b5c87f36

Added to database: 6/6/2025, 1:32:10 PM

Last enriched: 7/8/2025, 12:10:23 AM

Last updated: 8/4/2025, 6:13:21 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats