CVE-2026-4030: WordPress Plugin Exposes Multisite Files to Unauthenticated Attackers

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityarbitrary-file-accesscwe-862
CVE-2026-4030: WordPress Plugin Exposes Multisite Files to Unauthenticated Attackers

The National Vulnerability Database has detailed CVE-2026-4030, a critical flaw in the Database Backup for WordPress plugin affecting all versions up to 2.5.2. This vulnerability allows unauthenticated attackers to read and delete arbitrary files on the server. The root cause is an inadequate authorization check combined with a user-controlled backup directory parameter, leading to sensitive information exposure and potential site takeover.

Critically, this high-severity vulnerability (CVSS 8.1) is only exploitable in WordPress Multisite environments that still utilize the deprecated is_site_admin() function. While this narrows the attack surface, it doesn’t diminish the impact for affected organizations. Attackers can leverage this to exfiltrate sensitive data or disrupt operations by deleting critical files.

This isn’t just about data exposure; it’s about control. An attacker gaining arbitrary file read and delete capabilities can effectively dismantle a site or steal credentials, setting the stage for further compromise. Defenders need to recognize that even deprecated functions can be critical attack vectors if not properly retired or secured.

What This Means For You

  • If your organization runs WordPress Multisite, especially with the Database Backup for WordPress plugin, you need to act immediately. Verify if the `is_site_admin()` function is still in use. If it is, and you're running any version of the plugin up to 2.5.2, you are vulnerable. Prioritize patching or disabling the plugin until a fix is available, and audit your server logs for any suspicious file access or deletion attempts.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1083 File and Directory Discovery Discovery T1552.001 Credentials In Files Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-4030: WordPress Database Backup Plugin Arbitrary File Read

Sigma YAML — free preview 
title: CVE-2026-4030: WordPress Database Backup Plugin Arbitrary File Read
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-4030 by targeting the 'backup_backup_download' action in the WordPress Database Backup plugin via admin-ajax.php. This specific URI query pattern is indicative of an unauthenticated attacker attempting to read arbitrary files from a WordPress Multisite environment.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-4030/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-uri-query|contains:
          - 'action=backup_backup_download'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-4030 Information Disclosure Database Backup for WordPress plugin <= 2.5.2
CVE-2026-4030 Path Traversal Database Backup for WordPress plugin <= 2.5.2 - arbitrary file read
CVE-2026-4030 Auth Bypass Database Backup for WordPress plugin <= 2.5.2 - improper authorization check
CVE-2026-4030 Arbitrary File Deletion Database Backup for WordPress plugin <= 2.5.2 - arbitrary file deletion
CVE-2026-4030 Misconfiguration WordPress Multisite environments with deprecated is_site_admin() function

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 16:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6637: PostgreSQL 'refint' Module Allows RCE, SQLi

CVE-2026-6637 — Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the...

vulnerabilityCVEhigh-severitysql-injectioncwe-89cwe-121
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-6575 — Buffer over-read in PostgreSQL function

CVE-2026-6575 — Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array....

vulnerabilityCVEmedium-severitycwe-126
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

PostgreSQL Denial-of-Service Vulnerability: CVE-2026-6479 Impacts Older Versions

CVE-2026-6479 — Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial...

vulnerabilityCVEhigh-severitydenial-of-servicecwe-674
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 3 Sigma