cbcvebase.
CVE-2019-25224
published 2025-07-25

CVE-2019-25224: The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.68%
96.6th percentile
The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system.

Affected

2 ranges
VendorProductVersion rangeFixed in
databasebackupwp_database_backup_unlimited_database_files_backup_by_backup_for_wp< 5.25.2
wpseedswp_database_backup< 5.25.2

Detection & IOCsextracted from sources · hover to see the quote

path/wp-admin/admin.php?page=wp-database-backup
otherwp_db_exclude_table
  • Monitor POST requests to the wp-database-backup WordPress admin page containing shell metacharacters or command separators in the `wp_db_exclude_table` parameter, indicating OS command injection attempts.
  • Flag installations of the `wp-database-backup` WordPress plugin at versions below 5.2 as vulnerable to unauthenticated OS command injection via the mysqldump function.
  • ·Despite the NVD description stating the vulnerability 'allows unauthenticated attackers' to exploit it, the Metasploit module notes that authentication IS required for successful exploitation. Detections and threat models should account for authenticated attacker scenarios.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.