CVE-2025-12656
Description
WPvivid Backup & Migration plugin versions up to 0.9.128 allow authenticated administrators to delete arbitrary folders due to insufficient path validation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WPvivid Backup & Migration plugin versions up to 0.9.128 allow authenticated administrators to delete arbitrary folders due to insufficient path validation.
Vulnerability
The WPvivid Backup & Migration plugin for WordPress, in all versions up to and including 0.9.128, suffers from insufficient file path validation within the delete_cancel_staging_site() function. This vulnerability allows for arbitrary directory deletion on the server.
Exploitation
An authenticated attacker with Administrator-level privileges can exploit this vulnerability by triggering the delete_cancel_staging_site() function with a crafted path. This function is accessible through the plugin's administrative interface, requiring no user interaction beyond the attacker's administrative actions.
Impact
Successful exploitation allows an attacker to delete arbitrary folders on the server. This can lead to significant data loss, potentially compromising the integrity and availability of the WordPress site and its underlying data.
Mitigation
There is no specific mitigation or fixed version disclosed in the available references. Users are advised to consult the plugin vendor for information on patches or workarounds. The plugin is listed as active on WordPress.org [4].
AI Insight generated on Jun 6, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=0.9.128
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The delete_cancel_staging_site() function does not sufficiently validate file paths, allowing arbitrary directory deletion."
Attack vector
An authenticated attacker with Administrator-level access can exploit this vulnerability. The attacker needs to send a request to the delete_cancel_staging_site() function with a crafted path. This path can point to any directory on the server, leading to its deletion and potential data loss.
Affected code
The vulnerability exists in the delete_cancel_staging_site() function within the WPvivid Backup & Migration plugin. This function is responsible for handling the cancellation and deletion of staging sites.
What the fix does
The patch is not provided in the bundle. The advisory indicates that the vulnerability is due to insufficient file path validation in the delete_cancel_staging_site() function. Remediation would involve implementing stricter validation on the input path to prevent deletion of unintended directories.
Preconditions
- authThe attacker must have Administrator-level access or higher.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.phpnvd
- plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.phpnvd
- plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- wordpress.org/plugins/wpvivid-backuprestore/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/2f5962e5-3dc7-4f93-889c-d5e3530c7dbanvd
News mentions
0No linked articles in our index yet.