Unauthorized Access to Data in WPvivid Plugin Due to Missing Capability Check
CVE-2023-4637

4.3MEDIUM

Key Information:

Vendor
Wordpress
Status
Migration, Backup, Staging – WPvivid
Vendor
CVE Published:
5 February 2024

Summary

The WPvivid plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the restore() and get_restore_progress() function in versions up to, and including, 0.9.94. This makes it possible for unauthenticated attackers to invoke these functions and obtain full file paths if they have access to a back-up ID.

Affected Version(s)

Migration, Backup, Staging – WPvivid * <= 0.9.94

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/wpvivid-backup...
https://plugins.trac.wordpress.org/browser/wpvivid-backup...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Revan Arifio
.