Cyber Resilience

CVE-2025-2257

HighRCE

Published: 26 March 2025

Published
26 March 2025
Modified
22 May 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0149 81.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2257 is a high-severity OS Command Injection (CWE-78) vulnerability in Boldgrid Total Upkeep. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid is affected by a remote code execution vulnerability in all versions through 1.16.10. The flaw stems from the plugin passing the compression_level setting directly into proc_open() without validation, enabling OS command injection as classified under CWE-78. The issue carries a CVSS 3.1 score of 7.2 with network attack vector and high impact on confidentiality, integrity, and availability.

An authenticated attacker with administrator privileges can supply a malicious compression_level value to execute arbitrary commands on the underlying server. No user interaction is required, and the attack can be performed remotely over the network.

Public references document code-level fixes, including a GitHub pull request that addresses the unsanitized parameter handling and corresponding changesets in the WordPress plugin repository that update the affected compressor class. Administrators should apply the patched version once released.

EPSS scores remain low, with a current value of 0.0149 and a peak of 0.0166.

EU & UK References

Vulnerability details

The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.10 via the compression_level setting. This is due to the plugin…

more

using the compression_level setting in proc_open() without any validation. This makes it possible for authenticated attackers, with administrator-level access and above, to execute code on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection via unvalidated input in proc_open() in public-facing WordPress plugin enables remote authenticated RCE, directly mapping to exploitation of public-facing applications and Unix shell command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78
CVE-2024-50566Shared CWE-78
CVE-2026-23592Shared CWE-78

Affected Assets

boldgrid
total upkeep
≤ 1.17.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs like the compression_level parameter before passing to proc_open() to prevent OS command injection.

prevent

Mandates identifying, prioritizing, and applying patches for flaws like CVE-2025-2257 in vulnerable WordPress plugins.

prevent

Enforces restrictions or whitelisting on inputs such as compression_level to only allow valid values, blocking malicious command injection attempts.

References