Security Issues Audited

BackWPup – WordPress Backup & Restore Plugin

by WP Media · 500,000 active installations · v5.6.9

critical

high

21793

medium

2786

low

info

24586 total findings · ai, phpcs, semgrep ·⚠ Contains security findings — details embargoed until disclosure deadline

⏱ Disclosure Timeline

Audited & Notified

May 2, 2026

Security Summary (Day 30)

Jun 1, 2026

Full Disclosure (Day 90)

Jul 31, 2026

Findings

2 issues

info 2 issues ▼

ai inc/class-page-editjob.php:872

Edit job page outputs WordPress checkbox HTML without explicit esc_ wrapper

PHPCS flagged several `echo` statements in `inc/class-page-editjob.php` (L872, L886, L935) as potentially unescaped. Review shows these lines use `checked()` — a WordPress core function that only returns the string `checked="checked"` or empty. The surrounding HTML is static string literals. No user input flows into these echo statements. This is a PHPCS false positive.

ai components/table-row-backups.php:339

Backup table row HTML buffered and echoed without explicit escaping (false positive)

PHPCS flagged `echo $tableRowHtml` in `components/table-row-backups.php` (L339) as unescaped output. Code review shows the buffer contains only plugin-controlled HTML with all user-supplied values properly escaped (e.g., `esc_attr($backup_id)` at L128). The phpcs:ignore comment is appropriate here — this is a false positive.

🔒 Security Findings

7 issues

🔒

Security Findings — Restricted Access

Security details are shared with the plugin developer during the 90-day disclosure period.
If you received a notification email, use the magic link or enter your password below.

Embargoed until Jul 31, 2026

Are you the plugin developer? Request access →

Enter your name and email and we'll review your request.

PHP_CodeSniffer

24577 coding standard violations

What is PHP_CodeSniffer?

PHP_CodeSniffer (PHPCS) is a static analysis tool that checks your PHP code against a set of coding standards. The violations below were caught using the WordPress Coding Standards ruleset — the official style guide for WordPress plugins. These aren't security issues, but they affect code consistency, readability, and long-term maintainability.

Run it yourself & auto-fix

Install PHPCS and the WordPress ruleset via Composer:

composer require --dev squizlabs/php_codesniffer wp-coding-standards/wpcs
./vendor/bin/phpcs --config-set installed_paths vendor/wp-coding-standards/wpcs

Then check your plugin:

./vendor/bin/phpcs --standard=WordPress backwpup/

Many violations can be fixed automatically with phpcbf (PHP Code Beautifier, bundled with PHPCS):

./vendor/bin/phpcbf --standard=WordPress backwpup/

phpcbf will auto-fix whitespace, indentation, and many formatting issues. Review the diff before committing.

24577 violations found — run PHPCS locally (see above) to view the full list.

Addressed the Issues?

If you've fixed the security issues flagged in this audit, request a focused re-scan. We'll verify the fixes and — if all security findings are resolved — publish the full details publicly and award your plugin a Hall of Fame badge.

Re-scans focus only on the original security findings. You'll receive an email with the results.

WP.org	View Plugin ↗
GitHub	Repository ↗
Installs	500,000+
Version	5.6.9
Last Updated	Apr 2026
Developer contacted	❌ Could not locate