CVE-2019-25224
Published: 25 July 2025
Summary
CVE-2019-25224 is a critical-severity OS Command Injection (CWE-78) vulnerability in Wpseeds Wp Database Backup. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2019-25224 is an OS Command Injection vulnerability (CWE-78) in the WP Database Backup plugin for WordPress, affecting versions before 5.2. The flaw exists in the mysqldump function, allowing arbitrary command execution on the host operating system. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.
Unauthenticated attackers can exploit this vulnerability remotely without user interaction. Successful exploitation grants arbitrary command execution on the underlying host operating system, potentially leading to full server compromise, data exfiltration, or further lateral movement.
Advisories from Sucuri and Wordfence, along with the WordPress plugin trac changeset 2078035, indicate that the vulnerability was patched in version 5.2. Security practitioners should ensure the plugin is updated to 5.2 or later to mitigate the issue.
A Metasploit module (wp_db_backup_rce) and other public exploit code, such as from Packet Storm, demonstrate active exploitation capabilities.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19374
Vulnerability details
The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing WordPress plugin enables remote unauthenticated RCE (T1190) and direct Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2019-25224 by requiring timely patching of the WP Database Backup plugin to version 5.2 or later where the OS command injection flaw was fixed.
Prevents exploitation of the OS command injection vulnerability by validating and sanitizing inputs to the mysqldump function.
Identifies the vulnerable WP Database Backup plugin through regular vulnerability scanning, enabling remediation before unauthenticated remote exploitation.