CVE-2019-25224

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2019-25224
The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://blog.sucuri.net/2019/06/os-command-injection-in-wp-database-backup.html Exploit Third Party Advisory
https://packetstormsecurity.com/files/153781/ Exploit Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2078035/wp-database-backup Patch
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/wp_db_backup_rce.rb Exploit
https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/ Exploit Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/d21cf285-9d75-43a2-9e81-67116f0bf896?source=cve Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:wpseeds:wp_database_backup:*:*:*:*:*:wordpress:*:*
History

11 Aug 2025, 18:57

Type Values Removed Values Added
First Time Wpseeds wp Database Backup
Wpseeds
Summary
  • (es) El complemento WP Database Backup para WordPress es vulnerable a la inyección de comandos del sistema operativo en versiones anteriores a la 5.2 mediante la función mysqldump. Esta vulnerabilidad permite a atacantes no autenticados ejecutar comandos arbitrarios en el sistema operativo host.
CPE cpe:2.3:a:wpseeds:wp_database_backup:*:*:*:*:*:wordpress:*:*
References () https://blog.sucuri.net/2019/06/os-command-injection-in-wp-database-backup.html - () https://blog.sucuri.net/2019/06/os-command-injection-in-wp-database-backup.html - Exploit, Third Party Advisory
References () https://packetstormsecurity.com/files/153781/ - () https://packetstormsecurity.com/files/153781/ - Exploit, Third Party Advisory
References () https://plugins.trac.wordpress.org/changeset/2078035/wp-database-backup - () https://plugins.trac.wordpress.org/changeset/2078035/wp-database-backup - Patch
References () https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/wp_db_backup_rce.rb - () https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/wp_db_backup_rce.rb - Exploit
References () https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/ - () https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/ - Exploit, Third Party Advisory
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/d21cf285-9d75-43a2-9e81-67116f0bf896?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/d21cf285-9d75-43a2-9e81-67116f0bf896?source=cve - Third Party Advisory

25 Jul 2025, 03:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-25 03:15

Updated : 2025-08-11 18:57

NVD link : CVE-2019-25224

Mitre link : CVE-2019-25224

CVE.ORG link : CVE-2019-25224

JSON object : View

Products Affected

wpseeds

  • wp_database_backup
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')