CVE-2025-12656 - Vulnerability Details

- Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.128 - Authenticated (Admin+) Arbitrary Directory Deletion

Description

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the delete_cancel_staging_site() function in all versions up to, and including, 0.9.128. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary folders on the server, which leads to a loss of data.

Published: 2026-06-05

Score: 3.8 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion when an authenticated administrator invokes the delete_cancel_staging_site() function. The flaw stems from insufficient file path validation, allowing the removal of any folder on the server. This leads to loss of data and potentially disrupts website functionality, affecting confidentiality and integrity of the site contents. The weakness corresponds to Path Manipulation (CWE-73).

Affected Systems

All WordPress installations that use the WPvivid plugin version 0.9.128 or earlier are impacted. The vulnerability is present in every release up to and including 0.9.128, as indicated by the plugin’s release history. Site owners who have installed or are still using these versions are therefore at risk.

Risk and Exploitability

The CVSS score is 3.8, indicating a moderate impact when considering the attacker's required privileges and the nature of the exploit. The EPSS score is not available, but the lack of a public exploit and the absence from the CISA KEV catalog suggest that the likelihood of widespread exploitation is low to moderate. An attacker would need Administrator-level access within the WordPress dashboard. Once logged in, they could trigger the vulnerable code path that deletes directories, leading to irreversible data loss unless backups are in place. The attack is localized to sites with the affected plugin and does not involve remote exploitation from outside the server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wpvividplugins

WPvivid — Backup, Migration & Staging

unaffected

Version	Status	Constraints
`0`	affected	≤ 0.9.128

No data.

Vendor Product Confidence Versions

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Wpvividplugins

Wpvivid — Backup, Migration & Staging

100%

Version	Status	Scheme	Platform
`[0,0.9.128]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the WPvivid Backup & Migration plugin to the latest version that has the delete_cancel_staging_site() path validation fix (any release after 0.9.128).
If an upgrade cannot be performed immediately, restrict Administrator accounts to trusted users only, enable two‑factor authentication, and monitor directory changes for unexpected deletions.
Consider disabling or removing the staging feature of the plugin until a patch is applied, or configure your server to prevent the WordPress process from deleting arbitrary directories through permission restrictions.

Generated by OpenCVE AI on June 6, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00263.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1268
https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1282
https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1296
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3556022%40wpvivid-backuprestore&new=3556022%40wpvivid-backuprestore&sfp_email=&sfph_mail=
https://wordpress.org/plugins/wpvivid-backuprestore/
https://www.wordfence.com/threat-intel/vulnerabilities/id/2f5962e5-3dc7-4f93-889c-d5e3530c7dba?source=cve

History

Sun, 07 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Wpvividplugins Wpvividplugins wpvivid — Backup, Migration & Staging
Vendors & Products		Wordpress Wordpress wordpress Wpvividplugins Wpvividplugins wpvivid — Backup, Migration & Staging

Sat, 06 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sat, 06 Jun 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the delete_cancel_staging_site() function in all versions up to, and including, 0.9.128. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary folders on the server, which leads to a loss of data.
Title		Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.128 - Authenticated (Admin+) Arbitrary Directory Deletion
Weaknesses		CWE-73
References		https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1268 https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1282 https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1296 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3556022%40wpvivid-backuprestore&new=3556022%40wpvivid-backuprestore&sfp_email=&sfph_mail= https://wordpress.org/plugins/wpvivid-backuprestore/ https://www.wordfence.com/threat-intel/vulnerabilities/id/2f5962e5-3dc7-4f93-889c-d5e3530c7dba?source=cve
Metrics		cvssV3_1 `{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Wordpress Wordpress

Wpvividplugins Wpvivid — Backup, Migration & Staging

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-05T23:28:25.093Z

Updated: 2026-06-06T11:50:13.078Z

Reserved: 2025-11-03T20:41:36.992Z

Link: CVE-2025-12656

Vulnrichment

Updated: 2026-06-06T11:50:07.953Z

NVD

Status : Deferred

Published: 2026-06-06T00:16:40.077

Modified: 2026-06-08T14:57:14.757

Link: CVE-2025-12656

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-07T11:15:33Z

Weaknesses

CWE-73
External Control of File Name or Path

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object