CVE-2025-49040: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability was discovered in Backup Bolt plugin versions through 1.4.1. The vulnerability was identified on August 27, 2025, and assigned CVE-2025-49040. This security issue affects the WordPress Backup Bolt plugin and allows potential Cross Site Request Forgery attacks (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction. The vulnerability is categorized as CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. The integrity impact is rated as Low, while there are no direct impacts on confidentiality or availability of the system (Patchstack).

As of the vulnerability disclosure, no official fix is available for this security issue. The vulnerability affects versions through 1.4.1 of the Backup Bolt plugin (Patchstack).

The vulnerability was initially reported by Nabil Irawan on July 13, 2025. Patchstack issued an early warning to their customers on August 19, 2025, before publishing the vulnerability publicly on August 21, 2025 (Patchstack).