CVE-2025-2257

CVE-2025-2257 is a remote code execution vulnerability affecting the Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid for WordPress, in all versions up to and including 1.16.10. The flaw stems from the plugin's use of the unvalidated compression_level setting in a proc_open() call within the compressor component, specifically in the class-boldgrid-backup-admin-compressor-system-zip.php file. This issue is classified under CWE-78 (OS Command Injection) and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). The vulnerability was published on 2025-03-26.

Authenticated attackers with administrator-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating the compression_level parameter, they can inject malicious commands via proc_open(), leading to arbitrary code execution on the server and potentially full compromise of the hosting environment, including high confidentiality, integrity, and availability impacts.

Advisories and patch references, including Wordfence threat intelligence and plugin repository changesets, point to mitigations via code updates. A fix is detailed in BoldGrid's GitHub pull request #622, with related changes in WordPress plugin SVN tag 1.16.7 and Trac changeset 3257988 for the boldgrid-backup repository, which address the lack of validation on the compression_level input in the ZIP compressor class. Security practitioners should update to versions beyond 1.16.10 where available.