CVE-2026-6227 is a path traversal vulnerability (CWE-22) in the BackWPup WordPress Backup & Restore Plugin affecting all versions up to 5.6.6. The issue arises from inadequate sanitization of the `block_name` parameter in the `/wp-json/backwpup/v1/getblock` REST endpoint, where a non-recursive `str_replace()` fails to fully remove traversal sequences. Authenticated users with Administrator privileges can leverage this to include arbitrary PHP files on the server, potentially reading sensitive configuration files or achieving remote code execution depending on environment specifics. Additionally, administrators can delegate backup permissions to lower-privileged users, which may increase the attack surface. No official patch or remediation guidance is currently available, and no known exploits in the wild have been reported.

Successful exploitation allows authenticated users with Administrator-level access or delegated backup permissions to perform local file inclusion via crafted path traversal sequences. This can lead to disclosure of sensitive files such as `wp-config.php` and may enable remote code execution depending on server configuration. The vulnerability compromises confidentiality, integrity, and availability of the affected system, reflected in a CVSS v3.1 score of 7.2 (high severity). There are no known public exploits at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict administrative and backup handling permissions strictly to trusted users. Monitor for updates from the plugin vendor or WordPress security channels and apply patches promptly once available. Avoid exposing the REST endpoint unnecessarily and consider additional access controls or web application firewall rules to limit exploitation opportunities.