Cyber Resilience

CVE-2025-15041

High

Published: 19 February 2026

Published
19 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 16.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15041 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-15041 is a vulnerability in the BackWPup – WordPress Backup & Restore Plugin for WordPress, affecting all versions up to and including 5.6.2. It stems from a missing capability check on the save_site_option() function, enabling unauthorized modification of data that results in privilege escalation (CWE-862). The issue carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H), indicating high-impact potential over the network with low complexity but requiring high privileges.

Authenticated attackers with level access and above can exploit this flaw to update arbitrary options across the WordPress site. By modifying settings such as the default role for user registrations to administrator and enabling registration, attackers can create accounts with full administrative access, effectively compromising the site.

References include trac.browser links to vulnerable code in src/Jobs/API/Rest.php (lines 88, 337, 788-812), a plugin repository changeset (3443073@backwpup) associated with the fix, and a Wordfence threat intelligence page detailing the vulnerability. These point to code-level patches addressing the missing check, with mitigation centered on updating the plugin beyond version 5.6.2.

EU & UK References

Vulnerability details

The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and…

more

including, 5.6.2. This makes it possible for authenticated attackers, with level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing capability check enables authenticated privilege escalation to admin via arbitrary option modification (T1068); targets public-facing WordPress plugin (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-4100Shared CWE-862
CVE-2026-32501Shared CWE-862
CVE-2025-31194Shared CWE-862
CVE-2026-6963Shared CWE-862
CVE-2024-9195Shared CWE-862
CVE-2025-6380Shared CWE-862
CVE-2026-0506Shared CWE-862
CVE-2025-2110Shared CWE-862
CVE-2025-27270Shared CWE-862
CVE-2026-6510Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks before permitting modification of site options via save_site_option(), blocking the missing capability check that enables privilege escalation.

prevent

Limits authenticated users to only the privileges required for their role, preventing the ability to arbitrarily update options such as default_role and registration settings.

prevent

Restricts which users or processes may alter configuration settings or options, directly limiting the impact of unauthorized calls to save_site_option().

References