CVE-2025-5961 – The WPvivid Backup & Migration WordPress plugin... (How to Fix)

Q: What is the severity of CVE-2025-5961?

CVE-2025-5961 has a CVSS score of 7.2 (HIGH). The WPvivid Backup & Migration WordPress plugin allows authenticated administrators to upload arbitrary files due to missing file type validation. This vulnerability can lead to remote code execution on affected WordPress sites, particularly those running on NGINX web servers. Only WordPress instances with administrator-level compromised accounts are affected.

📋 TL;DR

The WPvivid Backup & Migration WordPress plugin allows authenticated administrators to upload arbitrary files due to missing file type validation. This vulnerability can lead to remote code execution on affected WordPress sites, particularly those running on NGINX web servers. Only WordPress instances with administrator-level compromised accounts are affected.

💻 Affected Systems

Products:

Migration, Backup, Staging – WPvivid Backup & Migration WordPress plugin

Versions: All versions up to and including 0.9.116

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Exploitation requires administrator-level access. NGINX servers are fully vulnerable while Apache servers with .htaccess may partially mitigate access to uploaded files.

📦 What is this software?

Migration\, Backup\, Staging by Wpvivid

View all CVEs affecting Migration\, Backup\, Staging →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise via remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Unauthorized file upload leading to webshell deployment and limited code execution within WordPress context.

🟢

If Mitigated

File upload blocked or restricted to safe file types only, preventing code execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrator credentials. Public proof-of-concept code is available in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.117 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3320877/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WPvivid Backup & Migration plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable plugin temporarily

all

Deactivate the vulnerable plugin until patched

wp plugin deactivate wpvivid-backuprestore

Restrict file upload directory access

linux

Add NGINX configuration to block access to upload directory

location ~* /wp-content/uploads/wpvivid-backuprestore/ { deny all; }

🧯 If You Can't Patch

Remove administrator access from untrusted users and implement strong password policies
Implement web application firewall rules to block suspicious file upload patterns

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin panel under Plugins → Installed Plugins

Check Version:

wp plugin get wpvivid-backuprestore --field=version

Verify Fix Applied:

Verify plugin version is 0.9.117 or higher and check that file upload functionality validates file types

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to wpvivid-backuprestore directory
POST requests to wpvivid_upload_import_files endpoint with executable files

Network Indicators:

HTTP POST requests uploading files with .php, .exe, or other executable extensions to WordPress admin endpoints

SIEM Query:

source="web_server" AND (uri="*wpvivid_upload_import_files*" OR path="*/wpvivid-backuprestore/*") AND (file_extension="php" OR file_extension="exe" OR file_extension="sh")

📊 Metadata

CVE ID: CVE-2025-5961

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

EPSS Score: 2.04% exploit probability (83.5th percentile)

Published: July 3, 2025

Last Updated: July 9, 2025

🔗 References

https://github.com/d0n601/CVE-2025-5961 Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid-export-import.php#L2210 Product
https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid-export-import.php#L2235 Product
https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid-export-import.php#L2246 Product
https://plugins.trac.wordpress.org/changeset/3320877/ Patch
https://ryankozak.com/posts/cve-2025-5961/ Exploit,Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/d8ceb4a1-9354-4ed3-9a8f-45ba2057a810?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5961, you might also want to check these: