BackUpWordPress Vulnerability – Authenticated (Admin+) Directory Traversal – CVE-2024-3034 | WordPress Plugin Vulnerability Report

Plugin Name: BackUpWordPress

Key Information:

  • Software Type: Plugin
  • Software Slug: backupwordpress
  • Software Status: Active
  • Software Author: willmot
  • Software Downloads: 4,796,104
  • Active Installs: 100,000
  • Last Updated: May 10, 2024
  • Patched Versions: 3.14
  • Affected Versions: <= 3.13

Vulnerability Details:

  • Name: BackUpWordPress <= 3.13
  • Title: Authenticated (Admin+) Directory Traversal
  • Type: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
  • CVE: CVE-2024-3034
  • CVSS Score: 2.7
  • Publicly Published: April 26, 2024
  • Researcher: dk0pf - Plumeria Lab
  • Description: The BackUpWordPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.13 via the hmbkp_directory_browse parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to traverse directories outside of the context in which the plugin should allow.


The BackUpWordPress plugin for WordPress has a vulnerability in versions up to and including 3.13 that allows authenticated administrators to traverse directories outside of their intended limits. This vulnerability has been patched in version 3.14.

Detailed Overview:

The vulnerability in the BackUpWordPress plugin, identified by dk0pf of Plumeria Lab, involves an authenticated directory traversal flaw. This flaw allows users with administrator-level access to exploit the hmbkp_directory_browse parameter to access directories not typically accessible through the plugin. The risk of this vulnerability is somewhat mitigated by the requirement for administrator access, but it could lead to unauthorized information disclosure. The patch in version 3.14 addresses this issue by properly validating and sanitizing the input from the vulnerable parameter.

Advice for Users:

  • Immediate Action: Update to version 3.14 immediately.
  • Check for Signs of Vulnerability: Review your server logs for any unusual access patterns or file access that could indicate exploitation.
  • Alternate Plugins: While a patch is available, consider using alternative backup plugins as a precaution.
  • Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.


The prompt response from the developers of BackUpWordPress to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 3.14 or later to secure their WordPress installations.


Detailed Report: 

Keeping Your WordPress Website Secure: Why Regular Updates Cannot Wait

As a small business owner, your website is a critical asset that connects you with your customers and supports your operations. However, this digital doorway needs vigilant security, especially when using popular plugins that can become targets for cyber-attacks. The recent discovery of a vulnerability in the widely used BackUpWordPress plugin—key to countless WordPress sites for backups—highlights the ever-present need for regular updates.

About the Plugin and the Vulnerability:

BackUpWordPress, a popular plugin designed to help website owners manage their site backups, has recently been found to have a significant security flaw. Known as CVE-2024-3034, this flaw affects all plugin versions up to and including 3.13. The issue lies in the hmbkp_directory_browse parameter, which allows authenticated users with administrative access to navigate directories outside their intended scope—a serious security oversight known as directory traversal.

Risks and Impacts of the Vulnerability:

The directory traversal vulnerability primarily risks unauthorized data access and potential data leakage. While it requires administrator-level privileges to exploit, the impact can be substantial, risking sensitive data exposure and potential website compromise.

Vulnerability Remediation:

To address this vulnerability, the developers have released version 3.14 of the plugin, which patches the flaw. It is critical that you update to this latest version immediately if your website uses BackUpWordPress. Additionally, regularly review your server logs and website activity for any signs of unauthorized access or suspicious behavior to ensure no prior exploitation has occurred.

Previous Vulnerabilities:

This is not the first time vulnerabilities have been identified in the BackUpWordPress plugin. Since its inception, there have been two other documented instances of security issues, which further stresses the importance of keeping an eye on software updates and security advisories related to tools you use on your website.

Staying on Top of Security Vulnerabilities:

For small business owners, staying updated with every security patch and monitoring technical vulnerabilities can seem daunting. However, the potential cost and impact of a security breach far outweigh the effort to keep your site’s plugins and themes updated. Consider setting up automatic updates for trusted plugins and themes, or work with a managed hosting provider who can handle these updates for you.

Remember, the digital landscape is continuously evolving, and so are the tactics of those looking to exploit vulnerabilities. By taking proactive steps today, you can safeguard your business against potential threats tomorrow.


The recent vulnerability in the BackUpWordPress plugin serves as a stark reminder of the importance of maintaining up-to-date security measures on your website. As small business owners, it's crucial to not only react swiftly to such vulnerabilities but to anticipate and prepare for them through regular updates and by staying informed about potential security risks. Secure your digital assets as diligently as you would your physical ones—your business depends on it.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

BackUpWordPress Vulnerability – Authenticated (Admin+) Directory Traversal – CVE-2024-3034 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment