Description
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the delete_cancel_staging_site() function in all versions up to, and including, 0.9.128. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary folders on the server, which leads to a loss of data.
Published: 2026-06-05
Score: 3.8 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion when an authenticated administrator invokes the delete_cancel_staging_site() function. The flaw stems from insufficient file path validation, allowing the removal of any folder on the server. This leads to loss of data and potentially disrupts website functionality, affecting confidentiality and integrity of the site contents. The weakness corresponds to Path Manipulation (CWE-73).

Affected Systems

All WordPress installations that use the WPvivid plugin version 0.9.128 or earlier are impacted. The vulnerability is present in every release up to and including 0.9.128, as indicated by the plugin’s release history. Site owners who have installed or are still using these versions are therefore at risk.

Risk and Exploitability

The CVSS score is 3.8, indicating a moderate impact when considering the attacker's required privileges and the nature of the exploit. The EPSS score is not available, but the lack of a public exploit and the absence from the CISA KEV catalog suggest that the likelihood of widespread exploitation is low to moderate. An attacker would need Administrator-level access within the WordPress dashboard. Once logged in, they could trigger the vulnerable code path that deletes directories, leading to irreversible data loss unless backups are in place. The attack is localized to sites with the affected plugin and does not involve remote exploitation from outside the server.

Generated by OpenCVE AI on June 6, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPvivid Backup & Migration plugin to the latest version that has the delete_cancel_staging_site() path validation fix (any release after 0.9.128).
  • If an upgrade cannot be performed immediately, restrict Administrator accounts to trusted users only, enable two‑factor authentication, and monitor directory changes for unexpected deletions.
  • Consider disabling or removing the staging feature of the plugin until a patch is applied, or configure your server to prevent the WordPress process from deleting arbitrary directories through permission restrictions.

Generated by OpenCVE AI on June 6, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Description The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the delete_cancel_staging_site() function in all versions up to, and including, 0.9.128. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary folders on the server, which leads to a loss of data.
Title Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.128 - Authenticated (Admin+) Arbitrary Directory Deletion
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-05T23:28:25.093Z

Reserved: 2025-11-03T20:41:36.992Z

Link: CVE-2025-12656

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-06T00:16:40.077

Modified: 2026-06-06T00:16:40.077

Link: CVE-2025-12656

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T01:30:06Z

Weaknesses