Cyber Resilience

CVE-2026-6227

High

Published: 14 April 2026

Published
14 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0131 67.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6227 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6227 is a local file inclusion vulnerability in the BackWPup plugin for WordPress, affecting all versions up to and including 5.6.6. The issue arises in the `/wp-json/backwpup/v1/getblock` REST endpoint due to insufficient sanitization of the `block_name` parameter, specifically a non-recursive `str_replace()` function that fails to fully mitigate path traversal sequences like `....//`. This CWE-22 flaw, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), allows inclusion of arbitrary PHP files on the server.

Authenticated attackers with Administrator-level access, or lower-privileged users granted backup handling permissions by administrators, can exploit this vulnerability over the network. By crafting traversal sequences in the `block_name` parameter, they can read sensitive files such as `wp-config.php` or, in certain configurations, achieve remote code execution.

References to the plugin's source code in versions tagged 5.6.5 and the trunk repository, including a specific changeset (from revision 3475739 to 3490642), indicate remediation efforts. Security practitioners should review these code locations—such as `inc/Utils/BackWPupHelpers.php` lines 23 and 40, and `src/Frontend/API/Rest.php` line 52—for patch details and update to a fixed version beyond 5.6.6.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal sequences. This makes…

more

it possible for authenticated attackers, with Administrator-level access and above, to include arbitrary PHP files on the server via crafted traversal sequences (e.g., `....//`), which can be leveraged to read sensitive files such as `wp-config.php` or achieve remote code execution in certain configurations. Administrators have the ability to grant individual users permission to handle backups, which may then allow lower-level users to exploit this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

LFI in public-facing WordPress plugin (T1190) directly enables reading arbitrary local files (T1005) including wp-config.php for credentials (T1081); RCE possible in some configs but secondary.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-44137Shared CWE-22
CVE-2025-69411Shared CWE-22
CVE-2026-6403Shared CWE-22
CVE-2024-51376Shared CWE-22
CVE-2026-5710Shared CWE-22
CVE-2025-69380Shared CWE-22
CVE-2026-30942Shared CWE-22
CVE-2019-25352Shared CWE-22
CVE-2025-25997Shared CWE-22
CVE-2025-25685Shared CWE-22

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the specific flaw in the BackWPup plugin's non-recursive str_replace sanitization directly eliminates the path traversal vulnerability in the getblock REST endpoint.

prevent

Enforcing comprehensive input validation on the block_name parameter prevents crafted path traversal sequences like ....// from including arbitrary PHP files.

prevent

Applying least privilege limits backup handling permissions to only essential users, reducing the number of authenticated attackers able to exploit the REST endpoint.

References