CVE-2025-9993: 
WordPress vulnerability analysis and mitigation

The Bei Fen – WordPress Backup Plugin for WordPress contains a Local File Inclusion vulnerability (CVE-2025-9993) affecting all versions up to and including 1.4.2. The vulnerability was discovered by Aril Aprilio (forsak3n) and was publicly disclosed on September 29, 2025 (Wordfence).

The vulnerability exists in the plugin's handling of the 'task' parameter, which allows authenticated attackers with Subscriber-level access or higher to include and execute arbitrary .php files on the server. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and only affects instances running PHP 7.1 or older (NVD).

When exploited, this vulnerability allows attackers to execute arbitrary PHP code contained in accessible .php files on the server. This can lead to bypass of access controls, unauthorized access to sensitive data, and potential remote code execution in scenarios where .php files can be uploaded and included (Tenable).

Users should upgrade to a version newer than 1.4.2 once available. As the vulnerability only affects PHP 7.1 or older, upgrading PHP to a newer version can also serve as a mitigation (NVD).