A vulnerability has been identified in the WordPress WPvivid Backup and Migration plugin that could allow a malicious actor to delete files from the website. This includes core files, which could cause the site to break and stop functioning.
The vulnerability is an Arbitrary File Deletion vulnerability that occurs in the allowphp.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to execute arbitrary commands on the target website, including deleting files.
This vulnerability was discovered and responsibly reported by Ivan Kuzymchak.
The vulnerability has a CVSS 3.1 score of 8.7, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.
This vulnerability affects all versions of the WPvivid Backup and Migration Plugin released prior to version 0.9.90.
An attacker who successfully exploits this vulnerability could:
- File Deletion: Delete files from your website, including core files.
- Website Breakage: Cause the site to break and stop functioning.
Given the gravity of this situation, immediate action is mandatory to secure the WordPress website:
- Update the Plugin: It is urgent to update the WPvivid Backup and Migration Plugin to the most recent available version, specifically version 0.9.90 or newer. This update contains essential security fixes designed to rectify the Arbitrary File Deletion vulnerability.
- Regularly Update All Plugins: Keeping all website components up to date is a fundamental security practice.
- Enhance Security Measures: Consider implementing additional security measures such as web application firewalls (WAFs), strong authentication protocols, and regular security audits. A comprehensive security strategy is essential to minimize potential exploitation attempts.
This vulnerability is a serious threat to the security of WordPress websites that use the WPvivid Backup and Migration plugin. Users are strongly advised to update to the latest available version (at least 0.9.90) as soon as possible.