Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.128 - Authenticated (Admin+) Arbitrary Directory Deletion
CVE-2025-12656

3.8LOW

Key Information:

Vendor: WordPress
Status: WPvivid — Backup, Migration & Staging
Vendor: CVE Published:; 5 June 2026

What is CVE-2025-12656?

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the delete_cancel_staging_site() function in all versions up to, and including, 0.9.128. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary folders on the server, which leads to a loss of data.

Affected Version(s)

WPvivid — Backup, Migration & Staging 0 <= 0.9.128

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wpvivid-backup...

CVSS V3.1

Score:

3.8

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2026
Vulnerability Reserved
Nov 3, 2025

Credit

Chokri Hammedi

CVE-2025-12656 Data

JSON