Arbitrary File Upload Vulnerability in WPvivid Plugin
CVE-2020-36842

8.8HIGH

Key Information:

Vendor: WPvividplugins
Status: Migration, Backup, Staging – WPvivid
Vendor: CVE Published:; 16 October 2024

Summary

The WPvivid Backup Plugin for WordPress is susceptible to an arbitrary file upload vulnerability because it lacks adequate capability checks on specific AJAX actions. This issue permits low-level authenticated users to upload zip files, which can be extracted on the server, potentially compromising the site. This vulnerability affects all versions up to and including 0.9.35, posing significant risks to the security of WordPress installations utilizing this plugin.

Affected Version(s)

Migration, Backup, Staging – WPvivid * <= 0.9.35

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

https://www.webarxsecurity.com/vulnerability-in-wpvivid-b...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
Oct 15, 2024

Credit

WebARX Security