Cyber Resilience

CVE-2019-25224

CriticalPublic PoCRCE

Published: 25 July 2025

Published
25 July 2025
Modified
11 August 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8535 99.4th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25224 is a critical-severity OS Command Injection (CWE-78) vulnerability in Wpseeds Wp Database Backup. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2019-25224 is an OS Command Injection vulnerability (CWE-78) in the WP Database Backup plugin for WordPress, affecting versions before 5.2. The flaw exists in the mysqldump function, allowing arbitrary command execution on the host operating system. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.

Unauthenticated attackers can exploit this vulnerability remotely without user interaction. Successful exploitation grants arbitrary command execution on the underlying host operating system, potentially leading to full server compromise, data exfiltration, or further lateral movement.

Advisories from Sucuri and Wordfence, along with the WordPress plugin trac changeset 2078035, indicate that the vulnerability was patched in version 5.2. Security practitioners should ensure the plugin is updated to 5.2 or later to mitigate the issue.

A Metasploit module (wp_db_backup_rce) and other public exploit code, such as from Packet Storm, demonstrate active exploitation capabilities.

EU & UK References

Vulnerability details

The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in public-facing WordPress plugin enables remote unauthenticated RCE (T1190) and direct Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2026-40111Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78
CVE-2024-50566Shared CWE-78

Affected Assets

wpseeds
wp database backup
≤ 5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2019-25224 by requiring timely patching of the WP Database Backup plugin to version 5.2 or later where the OS command injection flaw was fixed.

prevent

Prevents exploitation of the OS command injection vulnerability by validating and sanitizing inputs to the mysqldump function.

detect

Identifies the vulnerable WP Database Backup plugin through regular vulnerability scanning, enabling remediation before unauthenticated remote exploitation.

References