Popular WordPress Backup Plugin Lets Hackers Read Your Database Passwords and Hijack Your Website

A critical security flaw in one of WordPress's most popular backup plugins could let hackers steal your database passwords, read private files, and take complete control of your website.

What's happening

The BackWPup plugin, installed on over 700,000 WordPress websites worldwide, contains a vulnerability that allows attackers with administrator access to read any file on your web server. This includes your wp-config.php file — the crown jewel that contains your database passwords, security keys, and other critical credentials that keep your site secure. For website owners, small businesses, and organizations relying on BackWPup to protect their data, this flaw turns their backup solution into a potential gateway for complete site compromise.

How the attack works

The vulnerability exploits a common web security weakness called path traversal. Think of your website's file system like a filing cabinet with folders and subfolders. Normally, the BackWPup plugin should only be able to access files in its designated drawer. But due to flawed input validation, an attacker can craft special requests that essentially trick the plugin into opening drawers it shouldn't have access to.

Here's the attack in action: a malicious administrator (or someone who has compromised an admin account) sends a specially crafted request to the plugin's REST API endpoint. Instead of requesting a legitimate backup block, they use traversal sequences like ....// to navigate up and down the server's directory structure. The plugin's sanitization attempts to block these sequences, but the attacker can bypass this protection by using nested patterns that survive the cleaning process. Once successful, they can read sensitive configuration files, potentially leading to database access, and in some server configurations, even execute malicious code remotely.

The technical reality

The flaw exists in BackWPup's /wp-json/backwpup/v1/getblock REST endpoint via the block_name parameter, where non-recursive str_replace() sanitization fails to properly filter nested path traversal sequences. Security researchers have assigned this vulnerability CVE-2026-6227 with a CVSS score of 7.2 (HIGH), indicating significant risk that demands immediate attention from security teams and WordPress administrators.

Who is at risk

All websites running BackWPup versions 5.6.6 and earlier are vulnerable to this attack. While the vulnerability requires administrator-level access to exploit, this doesn't significantly reduce the risk — compromised admin accounts are increasingly common through phishing attacks, credential stuffing, and other social engineering tactics. The risk is particularly acute for organizations with multiple administrators, shared hosting environments, or sites where admin credentials may have been previously compromised. Any website using BackWPup for automated backups, disaster recovery, or data migration could potentially be exploited.

What you should do right now

1. Update BackWPup immediately: Log into your WordPress dashboard, navigate to Plugins > Installed Plugins, and update BackWPup to version 5.6.7 or later. If automatic updates are enabled, verify the update has been applied by checking the version number.

2. Audit your administrator accounts: Review all users with administrator privileges on your WordPress site. Remove any unnecessary admin accounts, ensure all legitimate admins are using strong, unique passwords, and enable two-factor authentication for all administrative users.

3. Monitor for suspicious activity: Check your website's access logs for any unusual requests to /wp-json/backwpup/v1/getblock endpoints, particularly those containing unusual characters or path traversal patterns. If you find suspicious activity, immediately change all passwords and consider engaging a security professional to assess potential compromise.