Description
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers.
Published: 2025-07-03
Score: 7.2 High
EPSS: 2.0% Low
KEV: No
Impact: Arbitrary file upload that can lead to remote code execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows an authenticated user with Administrator privileges to upload arbitrary files to the WordPress site by exploiting missing file type validation in the wpvivid_upload_import_files function. Because the plugin does not restrict MIME types or extensions, an attacker can place malicious scripts or binaries on the server. On installations using NGINX, uploaded files become publicly accessible, enabling remote code execution. The flaw does not expose data by itself but can compromise the entire site if exploited.

Affected Systems

The issue affects the WPvivid – Backup, Migration & Staging plugin for WordPress, specifically all releases up to and including 0.9.116. WordPress sites that have this plugin installed and are running in a user account that has Administrator or higher privileges are at risk. The vulnerability is relevant to any WordPress instance that accepts plugin uploads and is served by NGINX, where the plugin's upload folder is reachable.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, while an EPSS score of 2% suggests a low to moderate likelihood that the vulnerability will be actively exploited. Because the flaw requires administrator credentials, it is constrained to sites with limited user accounts. The vulnerability is not listed in the CISA KEV catalog, implying no large scale exploitation detected yet. Nevertheless, the combination of authentication and weak file validation could be leveraged to gain remote code execution, especially on NGINX setups where the uploaded files are served directly.

Generated by OpenCVE AI on April 20, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPvivid plugin to a version newer than 0.9.116 to patch the missing file type validation.
  • Limit administrator access by applying the principle of least privilege, ensuring only trusted users retain full permissions.
  • Configure the server to block direct HTTP access to the plugin's upload directory—or adjust NGINX location blocks—to prevent execution of uploaded files.

Generated by OpenCVE AI on April 20, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19880 The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers.
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00773}

 epss

{'score': 0.00227}

Wed, 09 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpvivid
Wpvivid migration\, Backup\, Staging
CPEs cpe:2.3:a:wpvivid:migration\,_backup\,_staging:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpvivid
Wpvivid migration\, Backup\, Staging

Thu, 03 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 03 Jul 2025 14:00:00 +0000

Type Values Removed Values Added
Description The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers.
Title Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.116 - Authenticated (Administrator+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wpvivid Migration\, Backup\, Staging
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:56.920Z

Reserved: 2025-06-10T00:50:12.470Z

Link: CVE-2025-5961

cve-icon Vulnrichment

Updated: 2025-07-03T14:00:22.278Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-03T14:15:33.523

Modified: 2025-07-09T17:51:24.543

Link: CVE-2025-5961

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:30:16Z

Weaknesses