CVE-2025-2257: 
WordPress vulnerability analysis and mitigation

The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution (CVE-2025-2257) in versions up to and including 1.16.10. The vulnerability was discovered on March 25, 2025 and disclosed on March 26, 2025 (NVD).

The vulnerability exists due to the plugin using the compressionlevel setting in procopen() without any validation. This makes it possible for authenticated attackers with administrator-level access to execute arbitrary code on the server. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command Injection (NVD).

If exploited, this vulnerability allows authenticated attackers with administrator-level access to execute arbitrary code on the server, potentially leading to complete server compromise. The vulnerability affects the confidentiality, integrity, and availability of the system, as indicated by the CVSS scoring (NVD).

The vulnerability has been patched in version 1.17.0 of the plugin. The fix includes adding validation for the compressionlevel setting. Users are advised to update to this version immediately. The patch implements proper validation through the isvalidcompressionlevel() function to ensure the compression level is a digit between 0 and 9 (GitHub PR).