Vulnerability Description
The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.10 via the compression_level setting. This is due to the plugin using the compression_level setting in proc_open() without any validation. This makes it possible for authenticated attackers, with administrator-level access and above, to execute code on the server.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Boldgrid | Total Upkeep | < 1.17.0 |
Related Weaknesses (CWE)
References
- https://github.com/BoldGrid/boldgrid-backup/pull/622/filesPatch
- https://plugins.svn.wordpress.org/boldgrid-backup/tags/1.16.7/admin/compressor/cRelease Notes
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec3cc3e-c11b-43b6-9ddThird Party Advisory
FAQ
What is CVE-2025-2257?
CVE-2025-2257 is a vulnerability with a CVSS score of 7.2 (HIGH). The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.10 via the compress...
How severe is CVE-2025-2257?
CVE-2025-2257 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-2257?
Check the references section above for vendor advisories and patch information. Affected products include: Boldgrid Total Upkeep.