CVE-2025-12654
📋 TL;DR
The WPvivid Backup & Migration WordPress plugin allows authenticated attackers with Administrator privileges to create arbitrary directories on the server. This vulnerability affects all versions up to and including 0.9.120 due to insufficient path validation in the check_filesystem_permissions() function.
💻 Affected Systems
- WPvivid Backup & Migration WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could create directories to hide malicious files, establish persistence, or prepare for further attacks like file upload exploits.
Likely Case
Directory creation for reconnaissance or staging malicious payloads, potentially leading to privilege escalation or backdoor installation.
If Mitigated
Limited to directory creation only; no direct file upload or code execution without additional vulnerabilities.
🎯 Exploit Status
Exploitation requires authenticated Administrator access; trivial to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 0.9.120
Vendor Advisory: https://wordpress.org/plugins/wpvivid-backuprestore/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Migration, Backup, Staging – WPvivid Backup & Migration'. 4. Click 'Update Now' if available, or manually update to latest version. 5. Verify plugin version is above 0.9.120.
🔧 Temporary Workarounds
Remove Administrator Access
allRestrict Administrator accounts to only trusted users and implement least privilege principles.
Disable Plugin
allTemporarily disable the WPvivid plugin until patched, if backup functionality is not immediately required.
🧯 If You Can't Patch
- Restrict WordPress Administrator accounts to minimal trusted personnel only.
- Implement file integrity monitoring to detect unauthorized directory creation.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for WPvivid Backup & Migration version. If version is 0.9.120 or lower, system is vulnerable.Check Version:
wp plugin list --name=wpvivid-backuprestore --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, confirm plugin version is above 0.9.120 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual directory creation events in web server logs (e.g., Apache/Nginx access logs) or WordPress debug logs.
- Administrator account activity creating unexpected directories via plugin functions.
Network Indicators:
- HTTP POST requests to WPvivid plugin endpoints from Administrator accounts with directory creation parameters.
SIEM Query:
source="web_server_logs" AND (uri="/wp-admin/admin-ajax.php" OR uri CONTAINS "wpvivid") AND (param CONTAINS "directory" OR param CONTAINS "path")🔗 References
- https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1535
- https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1568
- https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1571
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397673%40wpvivid-backuprestore&new=3397673%40wpvivid-backuprestore&sfp_email=&sfph_mail=
- https://wordpress.org/plugins/wpvivid-backuprestore/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/662aa8dd-69b7-49e3-811c-04329544e106?source=cve
