Backup and Staging by WP Time Capsule SQL Backup Exposure Vulnerability
The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.22.26 via the download_recent_decrypted_file_wptc. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract download the most recently admin-decrypted SQL database backup, which typically contains password hashes, user credentials, and other sensitive site configuration data stored in the 'recent_decrypted_file' option. Exploitation requires that an administrator has previously performed a decrypt action, causing the decrypted SQL backup file to exist in the plugin's upload directory; without this prior admin action, there is no file to serve.
Quick answer
Backup and Staging by WP Time Capsule should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Backup and Staging by WP Time Capsule up to and including 1.22.26
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
Backup and Staging by WP Time Capsule is affected by CVE-2026-8996. Vulnerable versions up to 1.22.26 can expose a recently decrypted SQL backup to subscriber-level users after an administrator decrypt action, risking database credential and password hash disclosure.
- Inventory WordPress sites using Backup and Staging by WP Time Capsule.
- Update Backup and Staging by WP Time Capsule beyond 1.22.26 when a fixed release is available.
- Remove decrypted SQL backup files from plugin upload directories and temporary paths.
- Disable the vulnerable download action with WAF/server rules until patched.
- Review subscriber accounts and remove suspicious or unnecessary low-privilege users.
- Rotate database credentials and WordPress salts if decrypted backups may have been downloaded.
- Move backups outside the web root and enforce private storage permissions.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Backup and Staging by WP Time Capsule is no longer version 1.22.26 or older.
- Confirm no decrypted SQL backups remain in web-accessible directories.
- Attempt the vulnerable download flow as a subscriber in staging and confirm access is denied.
- Review access logs for download_recent_decrypted_file_wptc requests.
- Run a Fixnx scan and confirm public backup exposure signals are rechecked.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-8996?
Backup and Staging by WP Time Capsule versions listed as affected should be reviewed: Backup and Staging by WP Time Capsule up to and including 1.22.26.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
