PatchSiren cyber security CVE debrief
CVE-2026-14503 ploudapp CVE debrief
The pCloud WP Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.3 via the wp2pcl_ajax_process_request_inner. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract force generation of a full-site backup archive written to a publicly accessible directory, exposing wp-config.php database credentials, WordPress secret salts, and the complete PHP source tree.
- Vendor
- ploudapp
- Product
- pCloud WP Backup
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Authenticated attackers with subscriber-level access and above in WordPress installations using the pCloud WP Backup plugin versions up to and including 2.0.3 should be aware of this vulnerability.
Technical summary
The pCloud WP Backup plugin for WordPress is vulnerable to Sensitive Information Exposure. Authenticated attackers with subscriber-level access and above can extract a full-site backup archive written to a publicly accessible directory, exposing sensitive information such as wp-config.php database credentials, WordPress secret salts, and the complete PHP source tree. This vulnerability exists in all versions up to, and including, 2.0.3 via the wp2pcl_ajax_process_request_inner function. The resulting archive is deposited in the plugin's unprotected tmp/ directory at a predictable URL, making the extracted data accessible to unauthenticated visitors once the backup is triggered.
Defensive priority
Medium priority due to the potential for significant information exposure.
Recommended defensive actions
- Immediately update the pCloud WP Backup plugin to a version beyond 2.0.3 if available.
- Restrict access to the plugin's tmp/ directory to prevent unauthorized access.
- Monitor for any suspicious activity related to the wp2pcl_ajax_process_request_inner function.
- Consider implementing additional security measures such as web application firewalls to detect and prevent exploitation attempts.
- Regularly review and update WordPress and its plugins to ensure the latest security patches are applied.
Evidence notes
The CVE record was published on 2026-07-17T05:16:37.960Z and has not been modified since then. The NVD entry is currently Received. There are references to class-wp2pcloudfilebackup.php and pcloud-wp-backup.php. The vulnerability allows for the exposure of sensitive information including database credentials and PHP source code.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T05:16:37.960Z and has not been modified since then.