BackWPup Vulnerability– WordPress Backup Plugin – Plaintext Storage of Backup Destination Password – CVE-2023-5775 | WordPress Plugin Vulnerability Report

Plugin Name: BackWPup – WordPress Backup Plugin

Key Information:

  • Software Type: Plugin
  • Software Slug: backwpup
  • Software Status: Active
  • Software Author: wp_media
  • Software Downloads: 13,687,961
  • Active Installs: 600,000
  • Last Updated: February 27, 2024
  • Patched Versions: 4.0.3
  • Affected Versions: <= 4.0.2

Vulnerability Details:

  • Name: BackWPup <= 4.0.2
  • Title: Plaintext Storage of Backup Destination Password
  • Type: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
  • CVE: CVE-2023-5775
  • CVSS Score: 2.2
  • Publicly Published: February 23, 2024
  • Researcher: Stefan Marjanov
  • Description: The BackWPup plugin for WordPress, utilized for scheduling and managing backups, has been identified as storing backup destination passwords in plaintext in versions up to and including 4.0.2. This vulnerability exposes backup passwords to risk, as they can be accessed by anyone with administrator-level access either directly through the plugin's user interface or from the WordPress database options table.


The BackWPup plugin, a critical tool for WordPress site backups, harbors a significant security flaw in its handling of backup destination passwords. In versions up to 4.0.2, these passwords are stored without encryption, posing a risk to data security. This issue has been rectified in the latest patch, version 4.0.3.

Detailed Overview

Discovered by researcher Stefan Marjanov, this vulnerability exposes backup destination passwords to potential unauthorized access. The lack of encryption for these passwords means that anyone with administrative access to the WordPress site or its database can easily retrieve these sensitive credentials. The updated version 4.0.3 addresses this issue by implementing proper encryption for storing passwords, thereby enhancing the security of the backup process.

Advice for Users

  • Immediate Action: Users of the BackWPup plugin are urged to update to version 4.0.3 immediately to eliminate the risk associated with this vulnerability.
  • Check for Signs of Vulnerability: Administrators should review backup settings and ensure no unauthorized access has occurred, especially if using affected versions.
  • Alternate Plugins: Considering alternative backup solutions with robust security features may provide an additional layer of safety.
  • Stay Updated: Regularly updating all WordPress plugins and themes is essential to maintaining a secure online presence and protecting against known vulnerabilities.


The swift action taken by the developers of BackWPup to address the vulnerability highlighted by CVE-2023-5775 is a testament to the importance of maintaining the security of WordPress plugins. For site administrators, particularly those managing business-critical sites, this incident underscores the necessity of vigilance in plugin selection and the need for regular updates. By adopting a proactive approach to site maintenance, including the use of secure plugins and regular security audits, WordPress site owners can significantly mitigate the risk of security breaches.


  • Wordfence Vulnerability Report on BackWPup
  • Wordfence Vulnerabilities Database

Previous vulnerabilities in the BackWPup plugin underscore the ongoing challenge of securing complex WordPress ecosystems. Staying informed and responsive to updates is crucial for all WordPress users, particularly small business owners who may lack extensive IT resources.

In the dynamic world of website management, maintaining the security of WordPress plugins is not just a recommendation; it's a necessity for safeguarding your digital assets. The recent discovery of a vulnerability in the "BackWPup – WordPress Backup Plugin," a tool relied upon by over 600,000 WordPress sites for data backup, underscores this point emphatically. Identified as CVE-2023-5775, this security flaw exposed backup destination passwords by storing them in plaintext, posing a significant risk to data security and integrity.

This vulnerability allowed anyone with administrator-level access to retrieve sensitive backup passwords directly from the plugin's UI or the WordPress options table. The lack of encryption for these passwords meant potential unauthorized access to backup data, undermining the very purpose of the plugin.

Mitigation Steps

To address this vulnerability, the plugin's developers released version 4.0.3, which implements proper encryption for storing backup destination passwords. Users are urged to update their plugin immediately to this latest version to secure their backup settings. Additionally, reviewing backup configurations and monitoring for unauthorized access is recommended to ensure no exploitation has occurred.

Previous Vulnerabilities

The BackWPup plugin has had 5 documented vulnerabilities since March 2, 2011. This history emphasizes the ongoing challenge of securing complex WordPress plugins and the importance of regular security audits and updates.

For small business owners, this incident serves as a critical reminder of the ever-present nature of cybersecurity threats and the importance of staying vigilant. Keeping plugins and themes updated, employing robust security measures, and regularly reviewing site security can greatly mitigate the risk of vulnerabilities. In the fast-paced digital world, taking a proactive stance on security is not just beneficial—it's essential for safeguarding your online presence and the trust of your users.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.


BackWPup Vulnerability– WordPress Backup Plugin – Plaintext Storage of Backup Destination Password – CVE-2023-5775 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment