{"id":"CVE-2025-2257","details":"The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.10 via the compression_level setting. This is due to the plugin using the compression_level setting in proc_open() without any validation. This makes it possible for authenticated attackers, with administrator-level access and above, to execute code on the server.","modified":"2026-04-09T10:37:01.868389Z","published":"2025-03-26T09:15:16.647Z","references":[{"type":"ADVISORY","url":"https://plugins.svn.wordpress.org/boldgrid-backup/tags/1.16.7/admin/compressor/class-boldgrid-backup-admin-compressor-system-zip.php"},{"type":"ADVISORY","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec3cc3e-c11b-43b6-9dd0-caa5ccfb90c8?source=cve"},{"type":"FIX","url":"https://github.com/BoldGrid/boldgrid-backup/pull/622/files"},{"type":"FIX","url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3257988%40boldgrid-backup&new=3257988%40boldgrid-backup&sfp_email=&sfph_mail=#file9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/BoldGrid/boldgrid-backup","events":[{"introduced":"0"},{"fixed":"64def76cab7c4f605c437fb328838212916e8efc"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.17.0"}]}}],"versions":["1.0","1.0.1","1.0.2","1.10.0","1.10.0-alpha.1","1.10.0-rc.1","1.10.1","1.10.2","1.10.3","1.10.4","1.10.5","1.10.6","1.11.0","1.11.0-rc.1","1.11.0-rc.2","1.11.0-rc.3","1.11.1","1.11.2","1.11.4-rc.1","1.11.5","1.11.6","1.11.7","1.11.8","1.12.0","1.12.1","1.12.2","1.12.3","1.12.4","1.12.5","1.12.6","1.13.0","1.13.1","1.13.2","1.14.0","1.14.1","1.14.10","1.14.11","1.14.12","1.14.13","1.14.2","1.14.3","1.14.4","1.14.5","1.14.6","1.14.7","1.14.8","1.14.9","1.15.0","1.15.1","1.15.10","1.15.2","1.15.3","1.15.4","1.15.5","1.15.6","1.15.7","1.15.8","1.15.9","1.16.0","1.16.1","1.16.10","1.16.3","1.16.4","1.16.5","1.16.6","1.16.8","1.16.9","1.2","1.2.1","1.2.2","1.2.3","1.3","1.3.1","1.3.10","1.3.11","1.3.12","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","1.3.7","1.3.8","1.3.9","1.5","1.5.1","1.6.0","1.6.0-alpha.1","1.6.0-alpha.2","1.6.0-alpha.3","1.6.0-rc.1","1.6.0-rc.2","1.6.0-rc.3","1.6.0-rc.4","1.6.0-rc.5","1.6.0-rc.6","1.6.0-rc.7","1.6.1","1.6.2","1.6.4","1.6.5","1.7.0","1.7.0-alpha.1","1.7.0-rc.1","1.7.1","1.7.2","1.7.3-rc.1","1.8.0","1.9.0","1.9.0-rc.2","1.9.1","1.9.2","1.9.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-2257.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}