CVE-2025-15041
Published: 19 February 2026
Summary
CVE-2025-15041 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-15041 is a vulnerability in the BackWPup – WordPress Backup & Restore Plugin for WordPress, affecting all versions up to and including 5.6.2. It stems from a missing capability check on the save_site_option() function, enabling unauthorized modification of data that results in privilege escalation (CWE-862). The issue carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H), indicating high-impact potential over the network with low complexity but requiring high privileges.
Authenticated attackers with level access and above can exploit this flaw to update arbitrary options across the WordPress site. By modifying settings such as the default role for user registrations to administrator and enabling registration, attackers can create accounts with full administrative access, effectively compromising the site.
References include trac.browser links to vulnerable code in src/Jobs/API/Rest.php (lines 88, 337, 788-812), a plugin repository changeset (3443073@backwpup) associated with the fix, and a Wordfence threat intelligence page detailing the vulnerability. These point to code-level patches addressing the missing check, with mitigation centered on updating the plugin beyond version 5.6.2.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207870
Vulnerability details
The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and…
more
including, 5.6.2. This makes it possible for authenticated attackers, with level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing capability check enables authenticated privilege escalation to admin via arbitrary option modification (T1068); targets public-facing WordPress plugin (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks before permitting modification of site options via save_site_option(), blocking the missing capability check that enables privilege escalation.
Limits authenticated users to only the privileges required for their role, preventing the ability to arbitrarily update options such as default_role and registration settings.
Restricts which users or processes may alter configuration settings or options, directly limiting the impact of unauthorized calls to save_site_option().