Arbitrary File Deletion vulnerability in WordPress WPvivid Backup and Migration Plugin

A vulnerability has been identified in the WordPress WPvivid Backup and Migration plugin that could allow a malicious actor to delete files from the website. This includes core files, which could cause the site to break and stop functioning.

The vulnerability is an Arbitrary File Deletion vulnerability that occurs in the allowphp.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to execute arbitrary commands on the target website, including deleting files.

This vulnerability was discovered and responsibly reported by Ivan Kuzymchak.

Severity:

The vulnerability has a CVSS 3.1 score of 8.7, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.

Affected Versions:

This vulnerability affects all versions of the WPvivid Backup and Migration Plugin released prior to version 0.9.90.

Impact:

An attacker who successfully exploits this vulnerability could:

File Deletion: Delete files from your website, including core files.
Website Breakage: Cause the site to break and stop functioning.

Recommendation:

Given the gravity of this situation, immediate action is mandatory to secure the WordPress website:

Update the Plugin: It is urgent to update the WPvivid Backup and Migration Plugin to the most recent available version, specifically version 0.9.90 or newer. This update contains essential security fixes designed to rectify the Arbitrary File Deletion vulnerability.
Regularly Update All Plugins: Keeping all website components up to date is a fundamental security practice.
Enhance Security Measures: Consider implementing additional security measures such as web application firewalls (WAFs), strong authentication protocols, and regular security audits. A comprehensive security strategy is essential to minimize potential exploitation attempts.

Conclusion:

This vulnerability is a serious threat to the security of WordPress websites that use the WPvivid Backup and Migration plugin. Users are strongly advised to update to the latest available version (at least 0.9.90) as soon as possible.

Arbitrary File Deletion vulnerability in WordPress WPvivid Backup and Migration Plugin

Severity:

Affected Versions:

Impact:

Recommendation:

Conclusion:

Related Articles

SQL Injection vulnerability in WordPress iPanorama 360 WordPress Virtual Tour Builder Plugin

Cross-Site Scripting (XSS) vulnerability in WordPress MpOperationLogs Plugin

WordPress Contact Form With Captcha Plugin Cross-Site Request Forgery (CSRF) Vulnerability

Critical XSS Vulnerability in Smart Online Order for Clover Plugin

High-severity Privilege Escalation vulnerability in WordPress Shop as a Customer for WooCommerce plugin

High-Severity XSS Vulnerability in Mail Control Plugin

Categories

Latest Blog Updates

Unmasking a Persistent Malware Attack on a WordPress Website

Investigating and Resolving High CPU Usage in WordPress Due to Malicious Crawlers

Unmasking a Hidden Malware Attack Targeting Users from Search Results

Critical Broken Access Control Vulnerability in WP Travel Plugin

Critical Broken Access Control Vulnerability in WooODT Lite Plugin

Critical Local File Inclusion Vulnerability in HTML filter and csv-file search Plugin

Critical Remote Code Execution Vulnerability in PHP to Page Plugin