Back to overview

CVE-2026-9834

HIGH
7.2
CVSS 3.1
Description
The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the `wp_db_exclude_table` parameter. This is due to the direct concatenation of user-supplied `$_POST['wp_db_exclude_table']` values into the `mysqldump` shell command string in the `mysqldump()` function of `includes/admin/class-wpdb-admin.php` without wrapping them in `escapeshellarg()`—every other argument in the same command (DB_USER, DB_PASSWORD, host, filename, DB_NAME) is properly escaped, making the exclude-table values the sole exception—and because the only applied filtering, `sanitize_text_field()` via `recursive_sanitize_text_field()`, strips HTML tags but leaves shell metacharacters such as `;`, `|`, `` ` ``, and `$()` intact. This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary operating system commands on the server, potentially enabling full remote code execution. The injection is stored: malicious values submitted through the plugin settings form are persisted to the WordPress options table via `update_option('wp_db_exclude_table')` and later retrieved with `get_option()` and passed unsanitized to `shell_exec()` whenever a backup operation runs.

Metadata

CVE ID
CVE-2026-9834
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-05-28 12:40 UTC
Published
2026-07-02 08:33 UTC
Last updated
2026-07-02 12:24 UTC
Primary CWE
CWE-77
CWE-77 Improper Neutralization of Special Elements used in a…
Vendor / Product
databasebackup / WP Database Backup – Unlimited Database & Files Backup by Backup for WP
Sources
cve.org  ·  NVD

Severity & Metrics

7.2 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
databasebackup WP Database Backup – Unlimited Database & Files Backup by Backup for WP 0 ≤ 7.11
Weakness (CWE)
CWESourceDescription
CWE-77 cna CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.2 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Back to overview