CVE-2026-6227 | wp_media BackWPup Plugin up to 5.6.6 on WordPress REST Endpoint getblock str_replace block_name path traversal

A vulnerability identified as critical has been detected in wp_media BackWPup Plugin up to 5.6.6 on WordPress. Impacted is the function str_replace of the file /wp-json/backwpup/v1/getblock of the component REST Endpoint. Performing a manipulation of the argument block_name results in path traversal.

This vulnerability is cataloged as CVE-2026-6227. It is possible to initiate the attack remotely. There is no exploit available.

You should upgrade the affected component.VulDB Recent EntriesRead More