WP Database Backup <= 7.11 - Authenticated (Administrator+) OS Command Injection via 'wp_db_exclude_table' Parameter
Summary
| CVE | CVE-2026-9834 |
|---|---|
| State | PUBLISHED |
| Assigner | Wordfence |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-02 10:16:29 UTC |
| Updated | 2026-07-02 13:58:56 UTC |
| Description | The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the `wp_db_exclude_table` parameter. This is due to the direct concatenation of user-supplied `$_POST['wp_db_exclude_table']` values into the `mysqldump` shell command string in the `mysqldump()` function of `includes/admin/class-wpdb-admin.php` without wrapping them in `escapeshellarg()`—every other argument in the same command (DB_USER, DB_PASSWORD, host, filename, DB_NAME) is properly escaped, making the exclude-table values the sole exception—and because the only applied filtering, `sanitize_text_field()` via `recursive_sanitize_text_field()`, strips HTML tags but leaves shell metacharacters such as `;`, `|`, `` ` ``, and `$()` intact. This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary operating system commands on the server, potentially enabling full remote code execution. The injection is stored: malicious values submitted through the plugin settings form are persisted to the WordPress options table via `update_option('wp_db_exclude_table')` and later retrieved with `get_option()` and passed unsanitized to `shell_exec()` whenever a backup operation runs. |
Risk And Classification
Primary CVSS: v3.1 7.2 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.015880000 probability, percentile 0.726530000 (date 2026-07-04)
Problem Types: CWE-77 | CWE-77 CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
HighUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Databasebackup | WP Database Backup Unlimited Database Files Backup By Backup For WP | affected 7.11 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.10/includes/admin/class-wpd... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.10/includes/admin/class-wpd... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/changeset | [email protected] | plugins.trac.wordpress.org | |
| www.wordfence.com/threat-intel/vulnerabilities/id/0a97a217-b00b-4268-a472-8d62a... | [email protected] | www.wordfence.com | |
| plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.10/includes/admin/class-wpd... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.11/includes/admin/class-wpd... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.11/includes/admin/class-wpd... | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.11/includes/admin/class-wpd... | [email protected] | plugins.trac.wordpress.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Irwan Kusuma (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-07-01T00:00:00.000Z | Disclosed |
There are currently no legacy QID mappings associated with this CVE.