CVE-2024-13911
Published: 01 March 2025
Description
The Database Backup and check Tables Automated With Scheduler 2024 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.35 via the /dashboard/backup.php file. This makes it possible for authenticated attackers, with Administrator-level access and above, to extract sensitive data including full database credentials.
Security Summary
CVE-2024-13911 is a sensitive information exposure vulnerability (CWE-200) affecting the Database Backup and check Tables Automated With Scheduler 2024 plugin for WordPress in all versions up to and including 2.35. The issue resides in the /dashboard/backup.php file, where sensitive data, including full database credentials, can be extracted. It has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.
Authenticated attackers with Administrator-level access or higher can exploit this vulnerability remotely without user interaction. By accessing the vulnerable /dashboard/backup.php endpoint, they can retrieve exposed sensitive information such as complete database credentials, potentially enabling further compromise of the WordPress site's backend database.
The provided references point to specific lines (62-66) in the plugin's trunk/dashboard/backup.php file on the WordPress plugin trac repository, highlighting the exact location of the exposure in the source code. No additional advisory details on patches or mitigations are specified beyond identifying the vulnerable versions up to 2.35.
Details
- CWE(s)