PatchSiren cyber security CVE debrief
CVE-2026-39480 Inisev CVE debrief
CVE-2026-39480 is a HIGH severity vulnerability (CVSS Score: 7.5) in the Backup Migration plugin for WordPress, affecting versions up to and including 2.1.1. This vulnerability allows unauthenticated attackers to access sensitive data. The vulnerability was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-39480) and additional details can be found on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-39480).
- Vendor
- Inisev
- Product
- Backup Migration
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Administrators and users of the Backup Migration plugin for WordPress should be aware of this vulnerability, especially if they are using version 2.1.1 or earlier.
Technical summary
CVE-2026-39480 is classified under CWE-201. The vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a high severity level.
Defensive priority
HIGH
Recommended defensive actions
- Update the Backup Migration plugin to a version that fixes this vulnerability.
- Review and restrict access to sensitive data.
- Monitor for any suspicious activity related to the Backup Migration plugin.
Evidence notes
Evidence suggests that this vulnerability was discovered and reported by Patchstack (see [ref-4](https://patchstack.com/database/wordpress/plugin/backup-backup/vulnerability/wordpress-backup-migration-plugin-2-1-1-sensitive-data-exposure-vulnerability?_s_id=cve)).
Official resources
-
CVE-2026-39480 CVE record
CVE.org
-
CVE-2026-39480 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-39480 was published on 2026-06-15T21:16:44.340Z and modified on 2026-06-15T21:24:32.790Z.