CVE-2025-10306: 
WordPress vulnerability analysis and mitigation

The Backup Bolt plugin for WordPress contains a vulnerability (CVE-2025-10306) that affects all versions up to and including 1.4.1. This security issue was disclosed on October 3, 2025, and involves arbitrary file downloads and backup location writes functionality (NVD).

The vulnerability exists in the processbackupbatch() function of the Backup Bolt WordPress plugin. The issue allows authenticated attackers with Administrator-level access to perform two unauthorized actions: download directories outside of the webroot and write backup zip files to arbitrary locations. The vulnerability has been assigned a CVSS v3.1 base score of 3.8 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N. The weakness has been categorized as CWE-73: External Control of File Name or Path (NVD, Wordfence).

The vulnerability allows privileged users to access files outside the intended directory structure and write backup files to unauthorized locations. This could potentially lead to information disclosure and unauthorized file system access, though the impact is somewhat limited by the requirement of administrator-level access (NVD).

A security fix has been released in version 1.5.0 of the Backup Bolt plugin, which includes improved security measures. Users are advised to update to this latest version to address the vulnerability (WordPress Plugin).