CVE-2026-4029: WordPress Multisite Plugin Exposes Database
The National Vulnerability Database (NVD) reports CVE-2026-4029, a high-severity vulnerability (CVSS 7.5) affecting the Database Backup for WordPress plugin, versions up to and including 2.5.2. This flaw allows unauthenticated attackers to export database tables due to improper authorization enforcement. The root cause is the plugin’s failure to adequately validate the return value of its authorization check, leading to sensitive information exposure.
Critically, this vulnerability is specifically exploitable in WordPress Multisite environments that still utilize the deprecated is_site_admin() function. This narrows the attack surface but makes the impact severe for affected deployments. An unauthenticated attacker can dump an entire database, which is a worst-case scenario for data confidentiality.
For defenders, this is a clear call to action. The attacker’s calculus is straightforward: find unpatched WordPress Multisite instances with this plugin and deprecated function, then exfiltrate data. The low attack complexity (AV:N/AC:L/PR:N/UI:N) means it’s an easy target for opportunistic attackers. If you’re running WordPress Multisite, a proactive audit is non-negotiable.
What This Means For You
- If your organization uses WordPress Multisite and the Database Backup for WordPress plugin, you need to assess your exposure to CVE-2026-4029 immediately. Verify if you're running any version up to 2.5.2 and check for the presence of the deprecated `is_site_admin()` function. Patching or removing this plugin is critical to prevent unauthenticated database exports and sensitive information exposure.
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-4029 | Information Disclosure | Database Backup for WordPress plugin <= 2.5.2 |
| CVE-2026-4029 | Auth Bypass | Improper authorization check enforcement in Database Backup for WordPress plugin |
| CVE-2026-4029 | Information Disclosure | Unauthorized database export via Database Backup for WordPress plugin |
| CVE-2026-4029 | Misconfiguration | Exploitable in WordPress Multisite environments where deprecated is_site_admin() function exists |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6637: PostgreSQL 'refint' Module Allows RCE, SQLi
CVE-2026-6637 — Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the...
CVE-2026-6575 — Buffer over-read in PostgreSQL function
CVE-2026-6575 — Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array....
PostgreSQL Denial-of-Service Vulnerability: CVE-2026-6479 Impacts Older Versions
CVE-2026-6479 — Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial...