Security Alert Summary
The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid contains a vulnerability that allows an unauthenticated attacker to cancel a pending rollback due to a missing capability check in the wp_ajax_cli_cancel handler. An attacker who successfully invokes this action can prevent an automatic rollback after a failed update, potentially leaving a site in a degraded or incorrect state.
CVE Details
- CVE ID: CVE-2026-3143
- Affected plugin or component: The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid
- Affected versions: All versions up to, and including, 1.17.1
- Published: May 1, 2026 at 2:16:22 PM UTC
- Last modified: May 1, 2026 at 3:26:24 PM UTC
- CVSS v3.1: Base Score 5.3, MEDIUM —
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N - Authentication / Privileges / User interaction: No authentication required (Privileges: None); no user interaction required
- Primary impact: Confidentiality: None; Integrity: Low; Availability: None
- CWE: CWE-862 (Missing Authorization)
Technical Details
The vulnerability is caused by a missing capability check on the wp_ajax_cli_cancel function. Because the AJAX handler does not verify the caller’s permissions or require authentication, an unauthenticated request can invoke the cancel action for a pending rollback. In practical terms, this makes it possible for an attacker to cancel a pending automatic rollback process that would otherwise revert a failed update.
The described weakness does not itself disclose data or directly modify arbitrary content, but it affects the reliability of the plugin’s automatic rollback mechanism. By preventing a rollback, the site may remain in a state after a failed update that was intended to be reverted automatically.
How This Could Impact Your Website
Consider a small organization running WordPress where a site owner schedules updates, internal staff perform routine maintenance, and an external contractor occasionally installs or tests plugins. If an update fails and the plugin detects the failure, it may schedule an automatic rollback to restore service. An unauthenticated attacker able to call the vulnerable wp_ajax_cli_cancel handler could cancel that pending rollback.
Practical consequences include a longer-lasting degraded state after a failed update, broken functionality for editors or visitors, and potential short-term downtime while the issue is diagnosed and fixed. Because confidentiality impact is rated as None, this issue does not indicate data disclosure, but it does increase the chance that a failed update will not be automatically corrected, leaving the site in an incorrect or unstable state.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Monitor vendor advisories and update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and capabilities, especially for contributor-level and lower accounts.
- Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
- Remove unused or unmaintained plugins to reduce attack surface.
- Monitor site activity and logs for unusual requests or sudden changes to scheduled tasks and rollback operations.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/boldgrid-backup/trunk/admin/class-boldgrid-backup-admin-auto-rollback.php#L1202
- https://plugins.trac.wordpress.org/browser/boldgrid-backup/trunk/admin/class-boldgrid-backup-admin-core.php#L864
- https://plugins.trac.wordpress.org/browser/boldgrid-backup/trunk/includes/class-boldgrid-backup.php#L459
- https://plugins.trac.wordpress.org/changeset/3480378/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f25dcd7e-8fb1-471e-bd22-782409de45c4?source=cve
