cbcvebase.
CVE-2015-10134
published 2025-07-19

CVE-2015-10134: The Simple Backup plugin for WordPress is vulnerable to Arbitrary File Download in versions up to, and including, 2.7.10. via the download_backup_file…

PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.15%
63.0th percentile
The Simple Backup plugin for WordPress is vulnerable to Arbitrary File Download in versions up to, and including, 2.7.10. via the download_backup_file function. This is due to a lack of capability checks and file type validation. This makes it possible for attackers to download sensitive files such as the wp-config.php file from the affected site.

Affected

2 ranges
VendorProductVersion rangeFixed in
mywebsiteadvisorsimple_backup< 2.7.112.7.11
mywebsiteadvisorsimple_backup<= 2.7.10

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin.php?page=simple-backup&action=download_backup_file
versionSimple Backup <= 2.7.10
  • Monitor HTTP requests to WordPress admin endpoints invoking the 'download_backup_file' function, particularly those attempting path traversal to retrieve wp-config.php or other sensitive files.
  • Unauthenticated or low-privileged requests to wp-admin/admin.php with parameters referencing the Simple Backup plugin and a file download action should be flagged as suspicious, as the vulnerability requires no capability checks.
  • Directory traversal sequences (e.g., '../') in the file parameter of requests targeting the Simple Backup plugin endpoint are indicative of exploitation attempts.
  • ·The vulnerability affects only Simple Backup plugin versions up to and including 2.7.10; ensure version fingerprinting is accurate before acting on detections.
  • ·Exploitation is performed with web server privileges, meaning the scope of file access is limited to files readable by the web server process — not necessarily full system compromise.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.