Attack Vectors

CVE-2026-1311 affects the Worry Proof Backup WordPress plugin (slug: worry-proof-backup) in all versions up to and including 0.2.4. It is rated High severity with a CVSS 8.8 score (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The primary attack path is through the plugin’s backup upload functionality. An attacker needs an authenticated WordPress account with Subscriber-level access or higher. In many organizations, subscriber accounts are easy to obtain (e.g., through public registration, compromised credentials, or reused passwords), which increases practical risk.

Because this is network-reachable from the WordPress site itself and does not require user interaction, it can be exploited quickly once an attacker has a valid low-privilege login.

Security Weakness

The vulnerability is a Path Traversal issue during the handling of an uploaded ZIP archive. By crafting a malicious ZIP containing path traversal sequences, an authenticated attacker can cause files to be written outside of the expected destination directory.

As reported, this can enable an attacker to write arbitrary files anywhere on the server, including placing executable PHP files in web-accessible locations. This creates a direct path to remote code execution under the web server’s permissions.

Technical or Business Impacts

From a business-risk perspective, this High-severity issue can escalate from “a compromised user account” into a full site takeover. If attackers can upload and execute PHP, they may run commands, install backdoors, and persist even after password resets.

Potential impacts include:

• Data exposure (customer data, marketing lists, lead data, order records, or internal documents), aligning with the CVSS “High” confidentiality impact.
• Site defacement or content manipulation, affecting brand trust and campaign performance (integrity impact).
• Service disruption (site downtime, ransomware-style lockouts, or resource abuse), harming revenue and operational continuity (availability impact).
• Compliance and legal risk if regulated or sensitive data is accessed, including incident reporting obligations and potential contractual penalties.

Because the required privilege is only Subscriber+, organizations that allow account creation for downloads, events, communities, or gated content should treat this as an elevated risk scenario.

Similar Attacks

Path traversal vulnerabilities are a common route to serious outcomes, including file exposure and remote code execution. Notable examples include:

• CVE-2021-41773 (Apache HTTP Server 2.4.49 Path Traversal)
• CVE-2018-13379 (Fortinet FortiOS SSL VPN Path Traversal)
• Snyk research: “Zip Slip” (archive extraction path traversal class)

Remediation

At the time of reporting, there is no known patch available for Worry Proof Backup covering versions up to 0.2.4. Given the severity and the potential for remote code execution, the most risk-reducing option may be to uninstall the affected plugin and replace it with an alternative that is actively maintained.

If immediate removal is not possible, consider mitigations aligned to your risk tolerance:

• Disable or restrict backup upload functionality if your operational workflow allows it (or restrict access to only a tightly controlled admin group).
• Remove public user registration (or harden it) and review all existing Subscriber accounts for legitimacy; promptly disable unknown or inactive accounts.
• Enforce strong authentication controls (unique passwords, MFA where feasible) to reduce the likelihood of an attacker obtaining any authenticated account.
• Increase monitoring and alerting for unexpected file changes in web directories and for unusual admin activity; treat new/unknown PHP files as a high-priority indicator.
• Prepare an incident response path: ensure offline backups exist, confirm restore procedures, and define who owns decisions if the site must be taken offline.

Reference: Wordfence vulnerability advisory and the official CVE record: CVE-2026-1311.