← back
CVE-2021-47979

WordPress Plugin Backup and Restore 1.0.3 Arbitrary File Deletion

CVSS 8.7 HIGHEPSS 0.4%CWE-22
Vexday Risk Score
41Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 8.7EPSS 0.4%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
16 May 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Attackers can send POST requests to admin-ajax.php with crafted file_name and folder_name parameters to delete arbitrary files from the WordPress installation directory.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
Miniorange · Backup and Restore
public PoCs found1
cve_referencewww.exploit-db.com/exploits/50503unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wordpress.org/plugins/backup-and-restore-for-wp/https://www.exploit-db.com/exploits/50503https://www.miniorange.com/https://www.vulncheck.com/advisories/wordpress-plugin-backup-and-restore-arbitrary-file-deletion