CVE-2025-5396: 
WordPress vulnerability analysis and mitigation

The Bears Backup plugin for WordPress has been identified with a critical Remote Code Execution vulnerability (CVE-2025-5396) affecting all versions up to and including 2.0.0. The vulnerability was disclosed on July 16, 2025, and received a Critical CVSS v3.1 base score of 9.8 (Wordfence).

The vulnerability stems from the bbackupajaxhandle() function lacking both a capability check and proper validation of user-supplied input that is passed directly to calluserfunc(). This implementation flaw is classified as CWE-94 (Improper Control of Generation of Code). The severity is rated as Critical with a CVSS v3.1 Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows unauthenticated attackers to execute arbitrary code on the server. This can be exploited to inject backdoors or create new administrative user accounts. Additionally, on WordPress sites running the Alone theme versions 7.8.4 and older, this vulnerability can be chained with CVE-2025-5394 to install the Bears Backup plugin and achieve the same impact (NVD).