CVE-2019-25224
WP Database Backup < 5.2 - Unauthenticated OS Command Injection
Vexday Risk Score
68High priority
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 9.8EPSS 16.7%KEV nãoPoC públicaNuclei —Metasploit simPatch —
Lifecycle
24 Apr 2019Metasploit module available
25 Jul 2025Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
databasebackup · WP Database Backup – Unlimited Database & Files Backup by Backup for WPpublic PoCs found — 1
cve_referencepacketstormsecurity.com/files/153781/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://blog.sucuri.net/2019/06/os-command-injection-in-wp-database-backup.htmlhttps://packetstormsecurity.com/files/153781/https://plugins.trac.wordpress.org/changeset/2078035/wp-database-backuphttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/wp_db_backup_rce.rbhttps://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/https://www.wordfence.com/threat-intel/vulnerabilities/id/d21cf285-9d75-43a2-9e81-67116f0bf896?source=cve