CVE-2026-8996 in Backup and Staging by WP Time Capsule Plugin
Summary
by MITRE • 07/09/2026
The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.22.26 via the download_recent_decrypted_file_wptc. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract download the most recently admin-decrypted SQL database backup, which typically contains password hashes, user credentials, and other sensitive site configuration data stored in the 'recent_decrypted_file' option. Exploitation requires that an administrator has previously performed a decrypt action, causing the decrypted SQL backup file to exist in the plugin's upload directory; without this prior admin action, there is no file to serve.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/09/2026
The vulnerability in WP Time Capsule plugin represents a critical sensitive information exposure flaw that undermines the security of WordPress installations. This weakness exists within the plugin's download_recent_decrypted_file_wptc functionality and affects all versions up to 1.22.26, creating a persistent risk for sites utilizing this backup solution. The vulnerability specifically targets authenticated attackers who possess subscriber-level privileges or higher, demonstrating how internal access controls can be exploited to gain unauthorized data access. The flaw operates through the plugin's handling of decrypted database backups stored in the recent_decrypted_file option, which contains highly sensitive information including password hashes and user credentials that are typically protected within secure backup environments.
The technical mechanism behind this vulnerability involves the plugin's improper file access control implementation. When administrators perform decrypt operations on backup files, the system stores these decrypted SQL databases in the plugin's upload directory where they remain accessible through a specific API endpoint. This design flaw allows attackers to bypass normal access controls and directly download the most recently decrypted backup file without proper authorization checks. The vulnerability requires a specific prerequisite condition - an administrator must have previously executed a decrypt action for the attack to succeed, but once this condition is met, any authenticated user with subscriber privileges can exploit the functionality. This creates a window of opportunity where legitimate administrative actions inadvertently create exploitable conditions that persist until the next backup operation or system restart.
The operational impact of this vulnerability extends beyond simple data theft to encompass complete compromise of WordPress site security infrastructure. Attackers who successfully exploit this vulnerability gain access to password hashes and user credentials stored in the SQL database, enabling them to potentially escalate privileges within the WordPress environment or conduct credential stuffing attacks against other systems. The sensitive configuration data exposed through this vulnerability provides attackers with insights into site architecture, database structure, and administrative practices that can be leveraged for further exploitation. Organizations using WP Time Capsule plugin face significant risk of unauthorized access, data breaches, and potential lateral movement within their network infrastructure, as the compromised credentials could enable access to other systems where users maintain accounts.
Mitigation strategies must address both immediate remediation and long-term security improvements to protect against this vulnerability. The primary recommendation involves updating to the latest version of WP Time Capsule plugin where this flaw has been patched, though administrators should verify that the update resolves all identified issues. Additional protective measures include implementing strict access controls within WordPress by limiting user roles and capabilities, monitoring for unauthorized backup file downloads through server logs, and establishing regular security audits of backup systems. Security professionals should also consider implementing network-level restrictions to prevent direct access to plugin upload directories and establish proper file permission controls that ensure only authorized processes can access sensitive backup files. Organizations should conduct comprehensive vulnerability assessments to identify any other plugins or components that may exhibit similar information exposure vulnerabilities, aligning with industry best practices for secure software development and maintenance as outlined in CWE categories related to information exposure and improper access control.