Arbitrary Directory Deletion in WPvivid Backup & Migration Plugin for WordPress
CVE-2025-12656

3.8LOW

What is CVE-2025-12656?

The WPvivid Backup & Migration plugin for WordPress has a flaw in its delete_cancel_staging_site() function, allowing authenticated users with Administrator-level access to delete arbitrary directories on the server. This vulnerability arises from inadequate validation of file paths, which can lead to significant data loss. It is essential for website owners to ensure they are using an updated version of the plugin to mitigate this risk.

Affected Version(s)

WPvivid β€” Backup, Migration & Staging 0 <= 0.9.128

References

CVSS V3.1

Score:
3.8
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chokri Hammedi
.