Arbitrary Directory Deletion in WPvivid Backup & Migration Plugin for WordPress
CVE-2025-12656
3.8LOW
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 5 June 2026
What is CVE-2025-12656?
The WPvivid Backup & Migration plugin for WordPress has a flaw in its delete_cancel_staging_site() function, allowing authenticated users with Administrator-level access to delete arbitrary directories on the server. This vulnerability arises from inadequate validation of file paths, which can lead to significant data loss. It is essential for website owners to ensure they are using an updated version of the plugin to mitigate this risk.
Affected Version(s)
WPvivid β Backup, Migration & Staging 0 <= 0.9.128