Sensitive Information Disclosure Vulnerability in WPvivid Plugin
CVE-2020-36835

4.9MEDIUM

Key Information:

Vendor: WPvividplugins
Status: Migration, Backup, Staging – WPvivid
Vendor: CVE Published:; 16 October 2024

Summary

The WPvivid Backup Plugin for WordPress has a security vulnerability that permits the disclosure of sensitive information stored within the WordPress database. This weakness arises from inadequate capability checks on the wp_ajax_wpvivid_add_remote AJAX action, allowing authenticated users with low-level permissions to transmit backups to any remote location. Consequently, those attackers could potentially access sensitive data from the WordPress site, thereby compromising the integrity and confidentiality of the stored information. Versions of the plugin up to and including 0.9.35 are impacted.

Affected Version(s)

Migration, Backup, Staging – WPvivid * < 0.9.36

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://www.webarxsecurity.com/vulnerability-in-wpvivid-b...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
Oct 15, 2024

Credit

WebARX Security