CVE-2015-10134

HIGH

Simple Backup <2.7.10 - Arbitrary File Download

Title source: llm

Description

The Simple Backup plugin for WordPress is vulnerable to Arbitrary File Download in versions up to, and including, 2.7.10. via the download_backup_file function. This is due to a lack of capability checks and file type validation. This makes it possible for attackers to download sensitive files such as the wp-config.php file from the affected site.

Exploits (1)

metasploit WORKING POC

by Mahdi.Hidden · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb

View Code ZIP pw:eip

References (2)

[Exploit] https://packetstormsecurity.com/files/131919/

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/29482b70-0ff2-4bb1-9d41-9cffb83b5ad0?source=cve

Scores

CVSS v3 7.5

EPSS 0.5634

EPSS Percentile 98.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (2)

mywebsiteadvisor/Simple Backup < 2.7.11

mywebsiteadvisor/simple_backup < 2.7.10

Published Jul 19, 2025

Tracked Since Feb 18, 2026