{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14944", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-19T00:55:56.950Z", "datePublished": "2026-04-07T16:26:24.676Z", "dateUpdated": "2026-04-08T17:12:41.782Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:41.782Z"}, "affected": [{"vendor": "inisev", "product": "BackupBliss \u2013 Backup & Migration with Free Cloud Storage", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion."}], "title": "Backup Migration <= 2.0.0 - Missing Authorization to Unauthenticated Backup Upload to Offline Storage", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2a41a15-0743-48cc-8c92-7cb839fa5847?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/offline.php#L29"}, {"url": "https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/ajax_offline.php#L112"}, {"url": "https://plugins.trac.wordpress.org/changeset?old=3386897&old_path=backup-backup%2Ftags%2F2.0.0%2Fincludes%2Foffline.php&new=3449635&new_path=backup-backup%2Ftags%2F2.1.0%2Fincludes%2Foffline.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafa\u0142"}], "timeline": [{"time": "2026-04-06T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T18:28:36.678542Z", "id": "CVE-2025-14944", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T18:28:56.700Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14944", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T18:28:36.678542Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T18:28:52.218Z"}}], "cna": {"title": "Backup Migration <= 2.0.0 - Missing Authorization to Unauthenticated Backup Upload to Offline Storage", "credits": [{"lang": "en", "type": "finder", "value": "Rafa\u0142"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}}], "affected": [{"vendor": "inisev", "product": "BackupBliss \u2013 Backup & Migration with Free Cloud Storage", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-06T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2a41a15-0743-48cc-8c92-7cb839fa5847?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/offline.php#L29"}, {"url": "https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/ajax_offline.php#L112"}, {"url": "https://plugins.trac.wordpress.org/changeset?old=3386897&old_path=backup-backup%2Ftags%2F2.0.0%2Fincludes%2Foffline.php&new=3449635&new_path=backup-backup%2Ftags%2F2.1.0%2Fincludes%2Foffline.php"}], "descriptions": [{"lang": "en", "value": "The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-07T16:26:24.676Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14944", "state": "PUBLISHED", "dateUpdated": "2026-04-07T18:28:56.700Z", "dateReserved": "2025-12-19T00:55:56.950Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-07T16:26:24.676Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion."}], "id": "CVE-2025-14944", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-07T17:16:25.927", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/ajax_offline.php#L112"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/offline.php#L29"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old=3386897&old_path=backup-backup%2Ftags%2F2.0.0%2Fincludes%2Foffline.php&new=3449635&new_path=backup-backup%2Ftags%2F2.1.0%2Fincludes%2Foffline.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2a41a15-0743-48cc-8c92-7cb839fa5847?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "BackupBliss \u2013 Backup & Migration with Free Cloud Storage", "source": "cna", "vendor": "inisev"}, "product": "backupbliss_\u2013_backup_&_migration_with_free_cloud_storage", "vendor": "inisev"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-07T22:08:30.824750+00:00", "value": {"mitigation_remediation": ["Upgrade the Backup Migration plugin to version 2.1.0 or later, which removes the missing authorization check and implements proper nonce validation.", "After upgrading, verify that the plugin\u2019s AJAX endpoints enforce the correct user capability and that nonce checks are active.", "If upgrading immediately is not possible, block or restrict the offline backup upload feature or the related AJAX URL using web\u2011server access controls or a firewall rule.", "Continuously monitor the site for any unexpected backup activity and confirm that no unauthorized data is being transferred to cloud storage."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Backup Upload & Resource Exhaustion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the WordPress plugin named inisev:BackupBliss \u2013 Backup & Migration with Free Cloud Storage, commonly known as the Backup Migration plugin, up to and including version 2.0.0. WordPress sites that have this plugin installed and have not applied the newer 2.1.0 update are impacted.", "description_and_impact": "The Backup Migration plugin for WordPress suffers from a missing capability verification and no nonce protection on its initializeOfflineAjax function, exposing hard\u2011coded tokens in the plugin\u2019s JavaScript. Because of this, any unauthenticated user can invoke the AJAX endpoint that triggers the backup upload queue. The consequence is that backups may be transferred to the attacker\u2011specified cloud storage destination without authorization, and repeated invocations can exhaust server resources. This flaw is a classic Missing Authorization vulnerability (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 5.3 indicates medium severity, and the lack of EPSS data makes it unclear how frequently the flaw will be exploited. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it remotely by sending unauthenticated HTTP requests to the plugin\u2019s AJAX endpoint without any proof\u2011of\u2011concept documentation, allowing unauthorized backup uploads and potential resource exhaustion. The risk is moderate but remediation should be considered a priority to prevent data leakage and performance degradation."}}}}, "created": "2026-04-08T19:36:52.504671+00:00", "updated": "2026-04-08T19:47:56.741953+00:00", "vendors": ["inisev", "inisev$PRODUCT$backupbliss_\u2013_backup_&_migration_with_free_cloud_storage", "wordpress", "wordpress$PRODUCT$wordpress"]}