PatchSiren cyber security CVE debrief
CVE-2016-20076 ChrisHurst CVE debrief
CVE-2016-20076 is a high-severity vulnerability (CVSS Score: 8.7) affecting WordPress Simple-Backup version 2.7.11. The vulnerability allows unauthenticated attackers to delete arbitrary files and download sensitive files by manipulating parameters in tools.php. Attackers can exploit insufficient input validation using directory traversal techniques to access sensitive files like wp-config.php, database dumps, or delete critical files like .htaccess, potentially exposing backup directories.
- Vendor
- ChrisHurst
- Product
- Simple Backup
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of WordPress Simple-Backup 2.7.11 should be aware of this vulnerability and take immediate action to secure their installations.
Technical summary
The vulnerability is caused by insufficient input validation in the delete_backup_file and download_backup_file parameters in tools.php, allowing directory traversal attacks.
Defensive priority
High
Recommended defensive actions
- Update WordPress Simple-Backup to a patched version if available.
- Restrict access to tools.php to authenticated users only.
- Implement additional security measures to protect sensitive files and directories.
Evidence notes
Evidence from [ref-4](https://www.exploit-db.com/exploits/39883) and [ref-5](https://www.vulncheck.com/advisories/wordpress-simple-backup-arbitrary-file-deletion-and-download) supports the existence of this vulnerability.
Official resources
CVE-2016-20076 was published on 2026-06-15T14:16:30.940Z and has not been modified since.