CVE-2025-2257
Published: 26 March 2025
Summary
CVE-2025-2257 is a high-severity OS Command Injection (CWE-78) vulnerability in Boldgrid Total Upkeep. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid is affected by a remote code execution vulnerability in all versions through 1.16.10. The flaw stems from the plugin passing the compression_level setting directly into proc_open() without validation, enabling OS command injection as classified under CWE-78. The issue carries a CVSS 3.1 score of 7.2 with network attack vector and high impact on confidentiality, integrity, and availability.
An authenticated attacker with administrator privileges can supply a malicious compression_level value to execute arbitrary commands on the underlying server. No user interaction is required, and the attack can be performed remotely over the network.
Public references document code-level fixes, including a GitHub pull request that addresses the unsanitized parameter handling and corresponding changesets in the WordPress plugin repository that update the affected compressor class. Administrators should apply the patched version once released.
EPSS scores remain low, with a current value of 0.0149 and a peak of 0.0166.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8110
Vulnerability details
The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.10 via the compression_level setting. This is due to the plugin…
more
using the compression_level setting in proc_open() without any validation. This makes it possible for authenticated attackers, with administrator-level access and above, to execute code on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via unvalidated input in proc_open() in public-facing WordPress plugin enables remote authenticated RCE, directly mapping to exploitation of public-facing applications and Unix shell command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted inputs like the compression_level parameter before passing to proc_open() to prevent OS command injection.
Mandates identifying, prioritizing, and applying patches for flaws like CVE-2025-2257 in vulnerable WordPress plugins.
Enforces restrictions or whitelisting on inputs such as compression_level to only allow valid values, blocking malicious command injection attempts.