The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the wp_db_exclude_table parameter. This is due to the direct concatenation of user-supplied $_POST['wp_db_exclude_table'] values into the mysqldump shell command string in the mysqldump() function of includes/admin/class-wpdb-admin.php without wrapping them in escapeshellarg()—every other argument in the same command (DB_USER, DB_PASSWORD, host, filename, DB_NAME) is properly escaped, making the exclude-table values the sole exception—and because the only applied filtering, sanitize_text_field() via recursive_sanitize_text_field(), strips HTML tags but leaves shell metacharacters such as ;, |, ` `, and $() intact. This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary operating system commands on the server, potentially enabling full remote code execution. The injection is stored: malicious values submitted through the plugin settings form are persisted to the WordPress options table via update_option('wp_db_exclude_table') and later retrieved with get_option() and passed unsanitized to shell_exec()` whenever a backup operation runs.
CVE-2026-9834
Score 7.2 from GitHub Security Advisory (severity: HIGH) published 2026-07-02. a secondary CVSS source baseline 7.2; sources differ by 0.0.
- High severity, but no confirmed exploitation yet
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 7.2
- EG Score
- 7.2(high)
- EPSS
- 72.7%
- KEV
- Not listed
Published
July 2, 2026
Last Modified
July 2, 2026
References (8)
- security@wordfencehttps://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.10/includes/admin/class-wpdb-admin.php#L216
- security@wordfencehttps://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.10/includes/admin/class-wpdb-admin.php#L2644
- security@wordfencehttps://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.10/includes/admin/class-wpdb-admin.php#L2654
- security@wordfencehttps://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.11/includes/admin/class-wpdb-admin.php#L216
- security@wordfencehttps://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.11/includes/admin/class-wpdb-admin.php#L2644
- security@wordfencehttps://plugins.trac.wordpress.org/browser/wp-database-backup/tags/7.11/includes/admin/class-wpdb-admin.php#L2654
- security@wordfencehttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3574273%40wp-database-backup&new=3574273%40wp-database-backup&sfp_email=&sfph_mail=
- security@wordfencehttps://www.wordfence.com/threat-intel/vulnerabilities/id/0a97a217-b00b-4268-a472-8d62ae1d18e3?source=cve
Vendor Advisories for CVE-2026-9834(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 25× in last 7d / 25× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-07 03:41 UTCEG score recompute
- 2026-07-07 03:41 UTCGHSA enrichment
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 15:18 UTCEG score recompute
- 2026-07-06 15:18 UTCGHSA enrichment
- 2026-07-06 02:58 UTCEG score recompute
- 2026-07-06 02:58 UTCGHSA enrichment
- 2026-07-06 02:23 UTCEPSS rescore
- 2026-07-05 14:38 UTCEG score recompute
- 2026-07-05 14:38 UTCGHSA enrichment
- 2026-07-05 02:31 UTCEPSS rescore
- 2026-07-05 02:18 UTCEG score recompute
- 2026-07-05 02:18 UTCGHSA enrichment
- 2026-07-04 13:58 UTCEG score recompute
- 2026-07-04 13:58 UTCGHSA enrichment
- 2026-07-04 06:31 UTCEPSS rescore
- 2026-07-04 01:37 UTCEG score recompute
- 2026-07-04 01:37 UTCGHSA enrichment
- 2026-07-03 13:15 UTCEG score recompute
- 2026-07-03 13:15 UTCGHSA enrichment
- 2026-07-03 00:55 UTCEG score recompute
- 2026-07-03 00:55 UTCGHSA enrichment
- 2026-07-02 17:02 UTCEPSS rescore
- 2026-07-02 12:36 UTCEG score recompute
- 2026-07-02 12:36 UTCGHSA enrichment
Related CVEs(same CWE)
Same CWE
10 shownCWE-77
- CVE-2016-15057EG 9.9CRITICAL
- CVE-2014-5470EG 9.8EPSS 95%CRITICAL
- CVE-2013-2513EG 9.8CRITICAL
- CVE-2015-20108EG 9.8CRITICAL
- CVE-2015-10096NVD 5.0EG 9.8MEDIUM
- CVE-2017-20156NVD 5.5EG 9.8MEDIUM
- CVE-2016-20017EG 9.8 KEVEPSS 99%CRITICAL
- CVE-2016-4991EG 9.8CRITICAL
- CVE-2015-20107NVD 7.6EG 9.8EPSS 93%HIGH
- CVE-2014-4982EG 9.8EPSS 90%CRITICAL
Frequently asked(5)
What is CVE-2026-9834?
When was CVE-2026-9834 disclosed?
Is CVE-2026-9834 actively exploited?
What is the CVSS score of CVE-2026-9834?
How do I remediate CVE-2026-9834?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-9834
Is Your Infrastructure Affected by CVE-2026-9834?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.