CVE-2026-9834
The WP Database Backup - Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the wp_db_exclude_table parameter. This is due to the direct concatenation of user-supplied $_POST['wp_db_exclude_table'] values into the mysqldump shell command string in the mysqldump() function of includes/admin/class-wpdb-admin.php without wrapping them in escapeshellarg()-every other argument in the same command (DB_USER, DB_PASSWORD, host, filename, DB_NAME) is properly escaped, making the exclude-table values the sole exception-and because the only applied filtering, sanitize_text_field() via recursive_sanitize_text_field(), strips HTML tags but leaves shell metacharacters such as ;, |, ` `, and $()` intact. This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary operating system commands on the server, potentially enabling full remote code execution.
The injection is stored: malicious values submitted through the plugin settings form are persisted to the WordPress options table via update_option('wp_db_exclude_table') and later retrieved with get_option() and passed unsanitized to shell_exec() whenever a backup operation runs.
- CVSS base score ≥ 7.0
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HATT&CK techniques
1Techniques this CVE enables. Pills with a solid outline are high confidence - named directly in ATT&CK or Nuclei, or human-curated by CTID; the rest are inferred from the weakness type using MITRE's CVE Mapping Methodology and the CWE → CAPEC chain. Broad, generic-weakness guesses are filtered out. A small N× marks a technique that N independent sources agree on.
▤ Build a SIEM detection for these techniquesCAPEC attack patterns
8Attack patterns this CVE enables - the bridge from weakness to ATT&CK technique.