CVE-2019-25224

CRITICAL

WP Database Backup <5.2 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25224. PoCs published by Mikey Veenstra / Wordfence, Shelby Pace, including Metasploit module exploits/multi/http/wp_db_backup_rce.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in the WordPress plugin `wp-database-backup` versions < 5.2. It injects arbitrary commands via the `wp_db_exclude_table` parameter, which are executed during database backup creation.

Description

The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system.

Exploits (1)

metasploit WORKING POC EXCELLENT
by Mikey Veenstra / Wordfence, Shelby Pace · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_db_backup_rce.rb

This Metasploit module exploits a command injection vulnerability in the WordPress plugin `wp-database-backup` versions < 5.2. It injects arbitrary commands via the `wp_db_exclude_table` parameter, which are executed during database backup creation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WordPress plugin wp-database-backup < 5.2
Auth required
Prerequisites: Valid WordPress credentials · Access to the WordPress admin panel
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 9.8
EPSS 0.1668
EPSS Percentile 96.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-78
Status published
Products (2)
databasebackup/WP Database Backup – Unlimited Database & Files Backup by Backup for WP < 5.2
wpseeds/wp_database_backup < 5.2
Published Jul 25, 2025
Tracked Since Feb 18, 2026