Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-13
CVE-2026-4305 - Restore Plugin
The Royal WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpr_pending_template' parameter in all versions up to, and including, 1.0.16 due to insufficient input validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
PLUGIN
Restore
CVE-2026-4305
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-15041 - Restore Plugin
The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and including, 5.6.2. This makes it possible for authenticated attackers, with level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Restore
CVE-2025-15041
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10579 - Restore Plugin
The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'backwpup_working' AJAX action in all versions up to, and including, 5.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve access to a back-up's filename while a backup is running. This information has little value on it's own, but could be used to aid in a brute force attack to retrieve back-up contents in limited environments (i.e. NGINX).
PLUGIN
Restore
CVE-2025-10579
Risk Score