CVE-2015-10134
published 2025-07-19CVE-2015-10134: The Simple Backup plugin for WordPress is vulnerable to Arbitrary File Download in versions up to, and including, 2.7.10. via the download_backup_file…
PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.15%
63.0th percentile
The Simple Backup plugin for WordPress is vulnerable to Arbitrary File Download in versions up to, and including, 2.7.10. via the download_backup_file function. This is due to a lack of capability checks and file type validation. This makes it possible for attackers to download sensitive files such as the wp-config.php file from the affected site.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mywebsiteadvisor | simple_backup | < 2.7.11 | 2.7.11 |
| mywebsiteadvisor | simple_backup | <= 2.7.10 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to WordPress admin endpoints invoking the 'download_backup_file' function, particularly those attempting path traversal to retrieve wp-config.php or other sensitive files. ↗
- →Unauthenticated or low-privileged requests to wp-admin/admin.php with parameters referencing the Simple Backup plugin and a file download action should be flagged as suspicious, as the vulnerability requires no capability checks. ↗
- →Directory traversal sequences (e.g., '../') in the file parameter of requests targeting the Simple Backup plugin endpoint are indicative of exploitation attempts. ↗
- ·The vulnerability affects only Simple Backup plugin versions up to and including 2.7.10; ensure version fingerprinting is accurate before acting on detections. ↗
- ·Exploitation is performed with web server privileges, meaning the scope of file access is limited to files readable by the web server process — not necessarily full system compromise. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2025-07-19
Published