CVE-2026-9834
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the wp_db_exclude_table parameter. This is due to the direct concatenation of user-supplied $_POST['wp_db_exclude_table'] values into the mysqldump shell command string in the mysqldump() function of includes/admin/class-wpdb-admin.php without wrapping them in escapeshellarg()—every other argument in the same command (DB_USER, DB_PASSWORD, host, filename, DB_NAME) is properly escaped, making the exclude-table values the sole exception—and because the only applied filtering, sanitize_text_field() via recursive_sanitize_text_field(), strips HTML tags but leaves shell metacharacters such as ;, |, `, and $() intact. This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary operating system commands on the server, potentially enabling full remote code execution. The injection is stored: malicious values submitted through the plugin settings form are persisted to the WordPress options table via update_option('wp_db_exclude_table') and later retrieved with get_option() and passed unsanitized to shell_exec() whenever a backup operation runs.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| databasebackup | WP Database Backup – Unlimited Database & Files Backup by Backup for WP | 0 <= 7.11 | affected |
Weaknesses
- CWE-77: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0a97a217-b00b-4268-a472-8d62ae1d18e3?source=cve
- https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.11/includes/admin/class-wpdb-admin.php#L2644
- https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.11/includes/admin/class-wpdb-admin.php#L2654
- https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.11/includes/admin/class-wpdb-admin.php#L216
- https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.10/includes/admin/class-wpdb-admin.php#L2644
- https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.10/includes/admin/class-wpdb-admin.php#L2654
- https://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.10/includes/admin/class-wpdb-admin.php#L216
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3574273%40wp-database-backup&new=3574273%40wp-database-backup&sfp_email=&sfph_mail=
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.