CVE-2025-2257
Published: 26 March 2025
Summary
CVE-2025-2257 is a high-severity OS Command Injection (CWE-78) vulnerability in Boldgrid Total Upkeep. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of untrusted inputs like the compression_level parameter before passing to proc_open() to prevent OS command injection.
Mandates identifying, prioritizing, and applying patches for flaws like CVE-2025-2257 in vulnerable WordPress plugins.
Enforces restrictions or whitelisting on inputs such as compression_level to only allow valid values, blocking malicious command injection attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via unvalidated input in proc_open() in public-facing WordPress plugin enables remote authenticated RCE, directly mapping to exploitation of public-facing applications and Unix shell command execution.
NVD Description
The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.10 via the compression_level setting. This is due to the plugin…
more
using the compression_level setting in proc_open() without any validation. This makes it possible for authenticated attackers, with administrator-level access and above, to execute code on the server.
Deeper analysisAI
CVE-2025-2257 is a remote code execution vulnerability affecting the Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid for WordPress, in all versions up to and including 1.16.10. The flaw stems from the plugin's use of the unvalidated compression_level setting in a proc_open() call within the compressor component, specifically in the class-boldgrid-backup-admin-compressor-system-zip.php file. This issue is classified under CWE-78 (OS Command Injection) and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). The vulnerability was published on 2025-03-26.
Authenticated attackers with administrator-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating the compression_level parameter, they can inject malicious commands via proc_open(), leading to arbitrary code execution on the server and potentially full compromise of the hosting environment, including high confidentiality, integrity, and availability impacts.
Advisories and patch references, including Wordfence threat intelligence and plugin repository changesets, point to mitigations via code updates. A fix is detailed in BoldGrid's GitHub pull request #622, with related changes in WordPress plugin SVN tag 1.16.7 and Trac changeset 3257988 for the boldgrid-backup repository, which address the lack of validation on the compression_level input in the ZIP compressor class. Security practitioners should update to versions beyond 1.16.10 where available.
Details
- CWE(s)