Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.116 - Authenticated (Administrator+) Arbitrary File Upload

Vulnerability

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wpvivid_upload_import_files function. All versions up to and including 0.9.116 are affected [1]. An attacker with Administrator-level access can upload files without proper extension or MIME type checks.

Exploitation

An authenticated attacker with Administrator-level access can exploit the missing file type validation in the wpvivid_upload_import_files function. The attacker uploads a malicious file (e.g., a PHP web shell) through the plugin's import functionality. No special network position other than being logged into the WordPress admin panel is required. The uploaded file is placed in a folder where, on NGINX servers, there is no .htaccess protection, allowing direct access to the uploaded file.

Impact

Successful exploitation allows the attacker to upload arbitrary files, including executable PHP code, to the server. This can lead to remote code execution, enabling full compromise of the WordPress site. The impact is limited by the server type: uploaded files are only accessible on WordPress instances running on the NGINX web server, as the existing .htaccess within the target upload folder prevents access on Apache servers.

Mitigation

A patched version, 0.9.127, is now available as of the plugin's last updated date 2026-05-14 [1]. Users should update to version 0.9.127 or later. For users unable to update immediately, restricting Administrator-level access to trusted users only may reduce risk, but does not fully mitigate the vulnerability. The plugin is not listed in the CISA KEV at the time of publication.