Directory Creation Vulnerability in WPvivid Backup & Migration Plugin for WordPress
CVE-2025-12654

2.7LOW

Key Information:

Vendor: WordPress
Status: WPvivid — Backup, Migration & Staging
Vendor: CVE Published:; 21 December 2025

What is CVE-2025-12654?

The WPvivid Backup & Migration plugin for WordPress is susceptible to arbitrary directory creation. This vulnerability arises due to the insufficient restriction within the check_filesystem_permissions() function, which allows authenticated users with Administrator-level access and higher to create directories at unauthorized locations. As a result, this could potentially lead to unauthorized data exposure or further exploitation within the site.

Affected Version(s)

WPvivid — Backup, Migration & Staging 0 <= 0.9.120

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wpvivid-backup...

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 21, 2025
Vulnerability Reserved
Nov 3, 2025

Credit

Chokri Hammedi

CVE-2025-12654 Data

JSON