Back to overview

CVE-2026-14503

MEDIUM
6.5
CVSS 3.1
Description
The pCloud WP Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.3 via the wp2pcl_ajax_process_request_inner. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract force generation of a full-site backup archive written to a publicly accessible directory, exposing wp-config.php database credentials, WordPress secret salts, and the complete PHP source tree. The resulting archive is deposited in the plugin's unprotected tmp/ directory at a predictable URL, making the extracted data accessible to unauthenticated visitors once the backup is triggered.

Metadata

CVE ID
CVE-2026-14503
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-07-02 18:06 UTC
Published
2026-07-17 03:43 UTC
Last updated
2026-07-17 03:43 UTC
Primary CWE
CWE-200
CWE-200 Exposure of Sensitive Information to an Unauthorized…
Vendor / Product
ploudapp / pCloud WP Backup
Sources
cve.org  ·  NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
ploudapp pCloud WP Backup 0 ≤ 2.0.3
Weakness (CWE)
CWESourceDescription
CWE-200 cna CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.5 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Back to overview