CYAN Backup

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Description

The CYAN Backup plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete' functionality in all versions up to, and including, 2.5.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Basic Information

ID CVE-2025-12092

Source Wordfence

Published Nov 8, 2025 at 09:28

Affected Product

Vendor gregross

Product CYAN Backup

Version *

Affected Versions gregross CYAN Backup *

CWE Classification

CWE-22

References

{
    "lastseen": "",
    "description": "The CYAN Backup plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete' functionality in all versions up to, and including, 2.5.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).",
    "published": "2025-11-08T09:28:09.323Z",
    "modified": "2025-11-08T09:28:09.323Z",
    "type": "cve",
    "title": "CYAN Backup <= 2.5.4 - Authenticated (Admin+) Arbitrary File Deletion",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39972b06-920f-48b0-aa36-bb5caab87cb6?source=cve\nhttps://plugins.trac.wordpress.org/changeset/3390065/cyan-backup/tags/2.5.5/includes/page-backups.php\nhttps://github.com/toolstack/cyan-backup/commit/4a79d23e8ba330b5cb655a083c6a00ef32a7b249",
    "id": "CVE-2025-12092",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "gregross CYAN Backup *",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "CYAN Backup",
    "version": "*",
    "vendor": "gregross",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

CYAN Backup <= 2.5.4 - Authenticated (Admin+) Arbitrary File Deletion_CVE-2025-12092