{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/215597?format=json","vulnerability_id":"VCID-wnxx-weqd-sbf8","summary":"","aliases":[{"alias":"CVE-2019-25224"}],"fixed_packages":[],"affected_packages":[],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-25224","reference_id":"","reference_type":"","scores":[{"value":"0.85348","scoring_system":"epss","scoring_elements":"0.99379","published_at":"2026-06-04T12:55:00Z"},{"value":"0.85348","scoring_system":"epss","scoring_elements":"0.9938","published_at":"2026-06-05T12:55:00Z"},{"value":"0.85348","scoring_system":"epss","scoring_elements":"0.99381","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-25224"},{"reference_url":"https://packetstormsecurity.com/files/153781/","reference_id":"153781","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-25T17:10:45Z/"}],"url":"https://packetstormsecurity.com/files/153781/"},{"reference_url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/d21cf285-9d75-43a2-9e81-67116f0bf896?source=cve","reference_id":"d21cf285-9d75-43a2-9e81-67116f0bf896?source=cve","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-25T17:10:45Z/"}],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/d21cf285-9d75-43a2-9e81-67116f0bf896?source=cve"},{"reference_url":"https://blog.sucuri.net/2019/06/os-command-injection-in-wp-database-backup.html","reference_id":"os-command-injection-in-wp-database-backup.html","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-25T17:10:45Z/"}],"url":"https://blog.sucuri.net/2019/06/os-command-injection-in-wp-database-backup.html"},{"reference_url":"https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/","reference_id":"os-command-injection-vulnerability-patched-in-wp-database-backup-plugin","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-25T17:10:45Z/"}],"url":"https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/"},{"reference_url":"https://plugins.trac.wordpress.org/changeset/2078035/wp-database-backup","reference_id":"wp-database-backup","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-25T17:10:45Z/"}],"url":"https://plugins.trac.wordpress.org/changeset/2078035/wp-database-backup"},{"reference_url":"https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/wp_db_backup_rce.rb","reference_id":"wp_db_backup_rce.rb","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-25T17:10:45Z/"}],"url":"https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/wp_db_backup_rce.rb"}],"weaknesses":[{"cwe_id":78,"name":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","description":"The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component."}],"exploits":[{"date_added":null,"description":"There exists a command injection vulnerability in the Wordpress plugin\n          `wp-database-backup` for versions < 5.2.\n\n          For the backup functionality, the plugin generates a `mysqldump` command\n          to execute. The user can choose specific tables to exclude from the backup\n          by setting the `wp_db_exclude_table` parameter in a POST request to the\n          `wp-database-backup` page. The names of the excluded tables are included in\n          the `mysqldump` command unsanitized. Arbitrary commands injected through the\n          `wp_db_exclude_table` parameter are executed each time the functionality\n          for creating a new database backup are run.\n\n          Authentication is required to successfully exploit this vulnerability.","required_action":null,"due_date":null,"notes":"Reliability:\n  - unknown-reliability\nStability:\n  - unknown-stability\nSideEffects:\n  - unknown-side-effects\n","known_ransomware_campaign_use":false,"source_date_published":"2019-04-24","exploit_type":null,"platform":"Linux,Windows","source_date_updated":null,"data_source":"Metasploit","source_url":"https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/wp_db_backup_rce.rb"}],"severity_range_score":"9.8 - 9.8","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wnxx-weqd-sbf8"}