BackWPup Plugin RCE Via Local File Inclusion

/HIGH
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-22
BackWPup Plugin RCE Via Local File Inclusion

The National Vulnerability Database (NVD) has reported a critical Local File Inclusion (LFI) vulnerability, CVE-2026-6227, in the BackWPup plugin for WordPress. This flaw, present in all versions up to and including 5.6.6, stems from insufficient sanitization of path traversal sequences within the /wp-json/backwpup/v1/getblock REST endpoint. Specifically, a non-recursive str_replace() function fails to fully neutralize crafted traversal sequences like ....//.

This oversight allows authenticated attackers with Administrator-level access to include arbitrary PHP files on the server. While requiring high privileges, the NVD points out that administrators can delegate backup handling permissions to lower-level users, potentially broadening the attack surface. Successful exploitation can lead to the disclosure of sensitive data, such as wp-config.php, or, in certain configurations, achieve full remote code execution (RCE). The NVD has assigned this vulnerability a CVSS score of 7.2 (HIGH), underscoring its significant impact.

Related ATT&CK Techniques

T1204.002 Malicious File Execution T1053.005 Scheduled Task/Job: Scheduled Task Privilege Escalation T1087.001 Account Discovery: Local Account Discovery

🛡️ Detection Rules

1 rules · 5 SIEM formats

1 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, and QRadar AQL.

medium T1204.002 Execution

Suspicious File Download via Email

Sigma Splunk SPL Sentinel KQL Elastic QRadar AQL

Get this rule in your SIEM's native format — copy, paste, detect. No manual conversion.

1 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get Detection Rules →

Indicators of Compromise

IDTypeIndicator
CVE-2026-6227 Local File Inclusion BackWPup plugin for WordPress versions <= 5.6.6
CVE-2026-6227 Local File Inclusion Vulnerable REST endpoint: `/wp-json/backwpup/v1/getblock`
CVE-2026-6227 Local File Inclusion Vulnerable parameter: `block_name`
CVE-2026-6227 Path Traversal Path traversal sequence: `....//` due to non-recursive `str_replace()` sanitization
CVE-2026-6227 Privilege Escalation Authenticated attackers with Administrator-level access (or lower-level users granted backup permissions) can exploit

By Shimi's Cyber World Editorial

Related Posts

Critical RCE Flaw Hits NuGet Gallery Backend

CVE-2026-39399 — NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-20cwe-22
/CRITICAL /⚑ 4 IOCs

BoidCMS LFI to RCE: A Critical Template Flaw

CVE-2026-39387 — BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are...

vulnerabilityCVEhigh-severityremote-code-executioncwe-98
/HIGH /⚑ 4 IOCs

Nanobot AI: WebSocket Hijack Puts WhatsApp Sessions at Risk

CVE-2026-35589 — nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server...

vulnerabilityCVEhigh-severitycwe-1385
/HIGH /⚑ 5 IOCs