CVE-2026-6227
Published: 14 April 2026
Summary
CVE-2026-6227 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-6227 is a local file inclusion vulnerability in the BackWPup plugin for WordPress, affecting all versions up to and including 5.6.6. The issue arises in the `/wp-json/backwpup/v1/getblock` REST endpoint due to insufficient sanitization of the `block_name` parameter, specifically a non-recursive `str_replace()` function that fails to fully mitigate path traversal sequences like `....//`. This CWE-22 flaw, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), allows inclusion of arbitrary PHP files on the server.
Authenticated attackers with Administrator-level access, or lower-privileged users granted backup handling permissions by administrators, can exploit this vulnerability over the network. By crafting traversal sequences in the `block_name` parameter, they can read sensitive files such as `wp-config.php` or, in certain configurations, achieve remote code execution.
References to the plugin's source code in versions tagged 5.6.5 and the trunk repository, including a specific changeset (from revision 3475739 to 3490642), indicate remediation efforts. Security practitioners should review these code locations—such as `inc/Utils/BackWPupHelpers.php` lines 23 and 40, and `src/Frontend/API/Rest.php` line 52—for patch details and update to a fixed version beyond 5.6.6.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22201
Vulnerability details
The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal sequences. This makes…
more
it possible for authenticated attackers, with Administrator-level access and above, to include arbitrary PHP files on the server via crafted traversal sequences (e.g., `....//`), which can be leveraged to read sensitive files such as `wp-config.php` or achieve remote code execution in certain configurations. Administrators have the ability to grant individual users permission to handle backups, which may then allow lower-level users to exploit this vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI in public-facing WordPress plugin (T1190) directly enables reading arbitrary local files (T1005) including wp-config.php for credentials (T1081); RCE possible in some configs but secondary.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the specific flaw in the BackWPup plugin's non-recursive str_replace sanitization directly eliminates the path traversal vulnerability in the getblock REST endpoint.
Enforcing comprehensive input validation on the block_name parameter prevents crafted path traversal sequences like ....// from including arbitrary PHP files.
Applying least privilege limits backup handling permissions to only essential users, reducing the number of authenticated attackers able to exploit the REST endpoint.