CVE-2019-25224

CRITICAL

WP Database Backup <5.2 - Command Injection

Title source: llm

Description

The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Mikey Veenstra / Wordfence, Shelby Pace · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/wp_db_backup_rce.rb

View Code ZIP pw:eip

References (6)

[Exploit, Third Party Advisory] https://blog.sucuri.net/2019/06/os-command-injection-in-wp-database-backup.html

[Exploit, Third Party Advisory] https://packetstormsecurity.com/files/153781/

[Patch] https://plugins.trac.wordpress.org/changeset/2078035/wp-database-backup

[Exploit] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/wp_db_backup_rce.rb

[Exploit, Third Party Advisory] https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/d21cf285-9d75-43a2-9e81-67116f0bf896?source=cve

Scores

CVSS v3 9.8

EPSS 0.8080

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

databasebackup/WP Database Backup – Unlimited Database & Files Backup by Backup for WP < 5.2

wpseeds/wp_database_backup < 5.2

Published Jul 25, 2025

Tracked Since Feb 18, 2026