Migration, Backup, Staging – WPvivid <= 0.9.112 - Authenticated (Admin+) Arbitrary File Upload via wpvivid_upload_file

Vulnerability

The WPvivid Backup & Migration plugin for WordPress contains an arbitrary file upload vulnerability in the upload_files function due to missing file type validation. This affects all versions up to and including 0.9.112. The vulnerability is present regardless of the web server, but the uploaded files are only accessible on servers running NGINX because the existing .htaccess file in the target upload folder blocks access on Apache servers [1].

Exploitation

An attacker must have Administrator-level access to the WordPress site. They can then call the upload_files function without any file type restrictions, allowing them to upload arbitrary files (e.g., PHP shells) to the server. The uploaded file is stored in a directory that is accessible via the web only on NGINX-based installations; on Apache, the .htaccess rules prevent direct access.

Impact

Successful exploitation allows the attacker to upload arbitrary files, including executable PHP scripts. This can lead to remote code execution (RCE) on the server, resulting in full compromise of the WordPress site and potentially the underlying server. The impact is limited to NGINX web servers due to the access restriction on Apache.

Mitigation

The vendor has released version 0.9.127 (as of the plugin's last update) which likely addresses this vulnerability [1]. Users should update to the latest version immediately. For Apache servers, the .htaccess file provides a partial mitigation by blocking direct access to uploaded files, but updating is still strongly recommended. No workaround is available for NGINX servers other than applying the patch.