CVE-2024-13907: 
WordPress vulnerability analysis and mitigation

The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress was identified with a Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2024-13907. The vulnerability affects all versions up to and including 1.16.8, and was disclosed on February 27, 2025. This security issue specifically impacts the 'download' function of the plugin (NVD).

The vulnerability is classified as a Server-Side Request Forgery (CWE-918) issue. It received a CVSS v3.1 Base Score of 6.5 (MEDIUM) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N, while Wordfence assessed it with a slightly lower score of 4.9 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows authenticated attackers with Administrator-level access or higher to make web requests to arbitrary locations originating from the web application. This capability can be exploited to query and modify information from internal services, potentially compromising sensitive data and internal system security (NVD).

A patch has been released to address this vulnerability. Users are advised to update their Total Upkeep plugin to version 1.16.9 or later to mitigate this security risk (WordPress Patch).