CVE-2019-25224 | The WP Database Backup plugin for WordPress is vulnerable to… | CVSS 9.8 CRITICAL

Description

The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system.

Metadata

CVE ID: CVE-2019-25224
State: PUBLISHED
Assigner: Wordfence
Reserved: 2025-07-24 14:06 UTC
Published: 2025-07-25 02:23 UTC
Last updated: 2026-04-08 17:25 UTC
Primary CWE: CWE-78
CWE-78 Improper Neutralization of Special Elements used in a…
Vendor / Product: databasebackup / WP Database Backup – Unlimited Database & Files Backup by Backup for WP
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
databasebackup	WP Database Backup – Unlimited Database & Files Backup by Backup for WP	—	0 < 5.2

Weakness (CWE)

CWE	Source	Description
CWE-78	cna	CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (6)