| Plugin Name | Everest Backup |
|---|---|
| Type of Vulnerability | Authorization flaw |
| CVE Number | CVE-2025-11380 |
| Urgency | Medium |
| CVE Publish Date | 2025-10-10 |
| Source URL | CVE-2025-11380 |
Urgent Security Advisory — Everest Backup Plugin (<= 2.3.5)
Unauthorized access vulnerability exposes sensitive backup data (CVE-2025-11380)
Summary
- A critical broken access control vulnerability affecting Everest Backup WordPress plugin versions up to 2.3.5 has been identified (CVE‑2025‑11380).
- This flaw allows unauthenticated attackers to access sensitive backup-related features and data without proper authorization, potentially compromising site backups and metadata.
- Severity is rated Medium with a CVSS score of 5.9.
- Patch is available in Everest Backup version 2.3.6.
- Immediate update to version 2.3.6 is strongly advised. If immediate patching is not feasible, follow the recommended mitigations below.
This advisory is issued by the Managed-WP Security Team, trusted US-based WordPress security experts dedicated to providing actionable protection guidance and incident response strategies.
Background — Understanding the Everest Backup Plugin and the Risk
The Everest Backup plugin facilitates backup creation and management for WordPress sites. Backup plugins inherently deal with highly sensitive data, including full database dumps, configuration files like wp-config.php, media files, and sometimes private credentials or encryption keys.
A broken access control vulnerability means the plugin does not verify if a user has the rights to perform certain actions or access specific data endpoints. In the context of backup management, this can allow attackers to enumerate, download, or otherwise access critical backup files without any authentication.
This kind of vulnerability is especially dangerous because acquiring backup files can mean obtaining all information necessary to fully restore or even take over the WordPress site.
Details of the Vulnerability
- The flaw is present in Everest Backup versions 2.3.5 and earlier, enabling unauthorized requests to access backup resources.
- Categorized as Broken Access Control under OWASP Top 10 (A5).
- The plugin developer fixed this issue by adding proper authorization checks in version 2.3.6.
- Due to the lack of required authorization, even unauthenticated users (no login required) can exploit this vulnerability.
Important: While internal code specifics may vary, the core issue remains missing permission checks on backup endpoints. Sites should assume vulnerability until patched.
Potential Attack Scenarios
If exploited, this vulnerability allows malicious actors to:
- Download complete backups: Including databases with user credentials, salts, configuration files, media assets, and potentially service API keys.
- Conduct reconnaissance: Enumerate backup file names, timestamps, and sizes, exposing site activities and sensitive information.
- Leak metadata: Gain information about server environment and site configuration that could assist further attacks.
- Chain with other vulnerabilities: Use exposed credentials from backups to target databases, cloud services, or other integrated platforms.
- Risk compliance violations: Exposure of personal data in backups may trigger GDPR or other legal consequences.
Because no authenticated access is required, automated scanners could quickly identify vulnerable sites at scale.
How to Verify if Your Site is Vulnerable
- Confirm plugin version:
- From WordPress dashboard: Plugins → Installed Plugins → look for “Everest Backup” and verify version.
- If dashboard access is unavailable, verify plugin version from the file system under
wp-content/plugins/everest-backup/by inspecting the main plugin PHP file.
- Check for accessible backup endpoints and files:
- Look for backup-related URLs or files in
/wp-content/plugins/everest-backup/or locations referencing “everest”, “ebackup”, or “backup”. - Explore your WordPress REST API (
/wp-json/) for backup-related routes.
- Look for backup-related URLs or files in
- Audit server logs for suspicious activity:
- Inspect access logs for unusual GET or POST requests targeting backup endpoints from unknown IPs.
- Look for attempts to download zip, sql, tar, gz files or requests containing parameters like
download,file,backup_id. - Detect repeated scanning activity probing backup-related URLs.
- Test downloads in a controlled environment:
- Attempt to access backup file URLs in incognito mode or using curl, only on test or staging environments approved by site admins. If downloads succeed without authentication, your site is exposed.
If unauthorized access is detected, proceed with immediate incident response measures described below.
Urgent Recommended Actions Within 24 Hours
- Update Everest Backup to version 2.3.6 or newer
- This is the definitive fix. Use the WordPress plugin updater or manually upload patched plugin files after backing up your site.
- If you cannot update immediately, deactivate the plugin temporarily
- Disabling Everest Backup stops backups but prevents exploitation of the vulnerability.
- Enforce firewall rules
- Use Web Application Firewall (WAF) or server-level access control to block requests matching backup file patterns and plugin endpoints until a patch is applied.
- Restrict public access to backup files
- Ensure backup files are not stored in publicly accessible directories; move them to secured locations with access controls like S3 with strict IAM policies.
- Monitor logs for suspicious activity
- Immediately review access logs for unauthorized attempts to download backups and conduct malware scans for early detection of compromise.
Firewall and Server Mitigations (Temporary)
Below are example firewall and server-level rules to temporarily block exploit attempts. Always test in staging before applying to production.
Apache (.htaccess) — Deny access to plugin directories and backup file extensions:
# Block access to Everest Backup plugin directory
<Directory "/var/www/html/wp-content/plugins/everest-backup/">
Require all denied
</Directory>
# Deny access to common backup file types
<FilesMatch "\.(zip|sql|tar|gz|7z)$">
Require all denied
</FilesMatch>
Nginx — Block access to backup files and plugin PHP files:
location ~* /wp-content/(uploads|plugins)/.*\.(zip|sql|tar|gz|7z)$ {
deny all;
return 404;
}
location ~* /wp-content/plugins/everest-backup/.*\.php$ {
deny all;
return 404;
}
ModSecurity (Example rules) — Block suspicious backup endpoint access and download attempts:
# Block suspicious URIs related to backup plugin
SecRule REQUEST_URI "@rx /(everest|ebackup|backup).*" "id:1001001,phase:1,deny,log,msg:'Block suspicious Everest Backup access',severity:2"
# Block requests with backup file access parameters
SecRule ARGS_NAMES|ARGS "@rx (download|file|backup_id|path|filename)" "id:1001002,phase:2,deny,log,msg:'Potential backup download attempt'"
Note: These mitigations are interim measures and not a replacement for updating to the patched plugin version.
Safe Update Procedures
- Take a full off-site backup unrelated to plugin backups before making changes.
- Enable maintenance mode or restrict site access to administrators during the update.
- Update the plugin via WordPress admin dashboard or replace via SFTP with latest plugin files from a trusted source.
- After the update, test core site functionality including backup scheduling and plugin settings.
- Perform a malware scan to ensure no existing compromise.
Detecting Exploitation Attempts
- Monitor for unauthenticated requests accessing backup paths or plugin routes with keywords like “everest”, “backup”, or “ebackup”.
- Look for suspicious parameters such as
download,file, orbackup_idin requests. - Watch for HTTP responses serving archive content types (.zip, .gz) to unauthenticated users.
- Be alert to new or unauthorized administrative user creation, suspicious file changes, or unexplained outbound network connections.
Any such indicators should trigger immediate incident response and further investigation.
Incident Response Guidelines
- Isolate the affected WordPress instance by restricting traffic and preventing further data leaks.
- Preserve all relevant logs and evidence securely for analysis.
- Rotate all sensitive credentials — database passwords, API keys, WordPress administrative passwords.
- Conduct thorough malware scanning and remove any backdoors or malicious files.
- Assess backups that may have been downloaded. Treat them as compromised; restore only from verified clean backups.
- Rebuild the site if necessary using fresh WordPress core files and verified plugins.
- Harden security by enforcing least privilege, moving backups off public folders, enforcing encryption, and enabling multi-factor authentication.
- Notify appropriate stakeholders and comply with legal reporting requirements if personal data was exposed.
Best Practices for Backup Plugin Security
Backups are critical but can become a major security liability if improperly protected. Follow these recommendations:
- Store backups remotely, away from web-accessible directories (e.g., secure cloud storage with strict access controls).
- Encrypt backups both at rest and in transit using strong encryption and regularly rotate keys/passphrases.
- Use time-limited signed URLs instead of static public download links.
- Restrict backup creation and download endpoints to authenticated users with proper admin capabilities.
- Implement server-level access restrictions for backup-related files and endpoints.
- Regularly audit backup files and prune old or unnecessary backups.
- Enable logging and alerting for all backup-related activities.
- Avoid including sensitive secrets in backups where possible; use environment-based secret management.
Firewall Rules to Mitigate Exploitation
When immediate patching is delayed, implementing managed WAF rules is a vital layer of protection to block exploit attempts:
- Block unauthenticated access to plugin admin and backup endpoints.
- Filter requests attempting to download backup archives or database dumps.
- Rate-limit and challenge requests enumerating backup files or IDs.
- Detect and deny known exploit patterns and suspicious query strings targeting backups.
Prioritized Action Checklist
Within Hours
- Update Everest Backup plugin to 2.3.6 or latest version.
- Temporarily deactivate plugin if immediate update is impossible.
- Apply firewall and server rules to block backup file and endpoint access.
- Audit server logs for suspicious download or enumeration activity.
One to Three Days
- Perform full site malware scans for signs of compromise.
- Reset database credentials, admin passwords, and any exposed API keys.
- Relocate backups to secure storage away from web root.
- Review plugin permissions and site security configurations.
One to Four Weeks
- Review backup retention policies and encryption practices.
- Conduct comprehensive security audits on plugins and remove unused ones.
- Establish continuous monitoring and alerting for backup-related activities.
Ongoing
- Keep WordPress core, themes, and plugins updated regularly.
- Enforce least privilege principles for administrative users.
- Use reputable managed firewall and vulnerability scanners.
Developer Insights: Avoiding This Vulnerability
Backup plugin authors must enforce strict authorization on all sensitive endpoints:
- Check user capability with WordPress functions like
current_user_can('manage_options')for any backup operations. - Implement nonce verification for AJAX and REST API endpoints.
- Store backup files outside public web root or behind authenticated mechanisms.
- Deliver downloads with time-limited signed URLs rather than direct static links.
- Exclude unnecessary sensitive data from backups to minimize risk exposure.
- Combine authorization with input validation, rate limiting, and thorough logging.
How Managed-WP Protects Your WordPress Environment
Managed-WP provides industry-leading security expertise and defense layers designed for WordPress sites, including:
- Rapid deployment of managed WAF rules to block known plugin vulnerabilities.
- Advanced malware scanning to detect compromise indicators early.
- Virtual patching capabilities to mitigate high-risk vulnerabilities while waiting for vendor patches.
- Continuous monitoring and real-time security alerts to keep you informed.
- Professional remediation guidance and incident response support.
For fast and effective protection, Managed-WP’s free Basic protection plan offers managed firewall, application layer WAF, malware scanning, and mitigation for common OWASP risks — a robust safety net until all patches are applied.
Get started with Managed-WP Free Plan today
Activate the free Basic protection plan and secure your WordPress sites immediately:
https://my.wp-firewall.com/buy/wp-firewall-free-plan/
(For enhanced security features like automated malware removal and IP blacklist/whitelist management, consider our Standard or Pro plans.)
Final Call to Action
- Immediately verify all your WordPress installations using Everest Backup and update to version 2.3.6 or later.
- If immediate updates aren’t possible, deactivate the plugin and apply available firewall and server mitigations.
- Perform thorough log reviews and malware scans looking for signs of exploitation.
- Relocate and secure backups to prevent future exposure.
- Adopt a managed WAF solution like Managed-WP for continuous virtual patching and monitoring.
Appendix — Useful Commands and Checks
Check Everest Backup plugin version using WP-CLI:
wp plugin get everest-backup --field=version
List files in backup-related directories:
ls -lah wp-content/plugins/everest-backup/
ls -lah wp-content/uploads/ | grep -i backup
Search Apache and Nginx logs for backup-related requests:
# Apache example
grep -iE "everest|ebackup|backup|download|backup_id" /var/log/apache2/access.log
# Nginx example
grep -iE "everest|ebackup|backup|download|backup_id" /var/log/nginx/access.log
Check for recent archive downloads in Nginx logs:
grep -i "application/zip" /var/log/nginx/access.log | tail -n 50
If you require assistance, the Managed-WP expert security team is ready to:
- Help verify if your site has been exploited or scanned,
- Recommend and deploy immediate virtual patching and firewall rules, and
- Provide incident response guidance and support.
Remain vigilant and treat backup-related vulnerabilities with utmost urgency. Compromise of backup data almost always means a full site breach.
— Managed-WP Security Team
