How is CVE-2026-39480 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress installation. Authentication (not-required): No account or credential of any privilege level is needed; the exposure is accessible to any anonymous requester. Victim interaction (not-required): The attacker does not need to trick or wait on any user action; the request can be made entirely without victim participation. Attack complexity (info): Exploit complexity is low, meaning no special conditions, race conditions, or environmental factors need to align for the attack to succeed reliably.

What is the impact of CVE-2026-39480?

An attacker reads sensitive data managed by the Backup Migration plugin, which may include full backup archives containing the WordPress database, user credentials, and uploaded media. Exposed backup files can contain wp-config.php contents, leaking database credentials and secret authentication keys used by the WordPress installation. Access to a full site backup gives an attacker an offline copy of all stored user records, including email addresses, hashed passwords, and any personally identifiable information held in the database.

Back to search

HIGHCVE-2026-39480Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-39480: WordPress Backup Migration plugin <= 2.1.1 - Sensitive Data Exposure vulnerability

Q: What is CVE-2026-39480?

An unauthenticated sensitive data exposure vulnerability affects the Backup Migration WordPress plugin at version 2.1.1 and earlier. The flaw is reachable over the network with no credentials required and no user interaction needed, meaning any remote party with HTTP access to the site can trigger it. Successful exploitation gives an attacker read access to sensitive data stored or handled by the plugin, such as backup archives or configuration details. HarborGuard tracks this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-39480 patched?

Because no fix version has been published for CVE-2026-39480, HarborGuard re-checks the upstream advisory and Patchstack feed on every ingest cycle. A patched-image rebuild will become available to customers automatically the moment the upstream maintainer ships a remediated release, with auto-remediation customers receiving a rebuild, a regression test run, and a PR opened against affected workloads without manual intervention.

Unauthenticated Sensitive Data Exposure in Backup Migration <= 2.1.1 versions.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated sensitive data exposure vulnerability affects the Backup Migration WordPress plugin at version 2.1.1 and earlier. The flaw is reachable over the network with no credentials required and no user interaction needed, meaning any remote party with HTTP access to the site can trigger it. Successful exploitation gives an attacker read access to sensitive data stored or handled by the plugin, such as backup archives or configuration details. HarborGuard tracks this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-39480 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against all customer images, including custom-built images that bundle the Backup Migration plugin. Any image carrying an affected version (2.1.1 or earlier) will be flagged in the registry scan results and in active pipeline checks.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH based on the published v3.1 vector and surfaces that score alongside each affected image in the customer dashboard. Per-environment compliance policy weighting is applied automatically, and findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published for CVE-2026-39480, HarborGuard re-checks the upstream advisory and Patchstack feed on every ingest cycle. A patched-image rebuild will become available to customers automatically the moment the upstream maintainer ships a remediated release, with auto-remediation customers receiving a rebuild, a regression test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the target WordPress installation.
AuthenticationNot required
No account or credential of any privilege level is needed; the exposure is accessible to any anonymous requester.
Victim interactionNot required
The attacker does not need to trick or wait on any user action; the request can be made entirely without victim participation.
Attack complexityDetail
Exploit complexity is low, meaning no special conditions, race conditions, or environmental factors need to align for the attack to succeed reliably.

Blast Radius

An attacker reads sensitive data managed by the Backup Migration plugin, which may include full backup archives containing the WordPress database, user credentials, and uploaded media.
Exposed backup files can contain wp-config.php contents, leaking database credentials and secret authentication keys used by the WordPress installation.
Access to a full site backup gives an attacker an offline copy of all stored user records, including email addresses, hashed passwords, and any personally identifiable information held in the database.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-39480 exists at this time, HarborGuard continuously monitors the Patchstack advisory and upstream plugin repository on every ingest cycle and will surface a patched-image rebuild the moment a remediated version is released. In the interim, customers are encouraged to use HarborGuard network-policy controls to restrict inbound HTTP access to affected WordPress deployments to known-safe IP ranges, and to review whether the Backup Migration plugin needs to be present in production images at all. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered automatically once a fix version is available, with no manual steps required. The advisory status is visible in the HarborGuard dashboard under the affected image findings, and watch alerts can be configured to notify the appropriate team inbox the moment the status changes.

See how HarborGuard automates this

Affected packages

Inisev / Backup Migration
≤ 2.1.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

patchstack.com

Metrics

Get notified