Arbitrary File Upload Vulnerability in WPvivid Backup & Migration Plugin for WordPress
CVE-2025-5961

7.2HIGH

Key Information:

Vendor: WordPress
Status: Migration, Backup, Staging – WPvivid Backup & Migration
Vendor: CVE Published:; 3 July 2025

What is CVE-2025-5961?

The WPvivid Backup & Migration plugin for WordPress contains a vulnerability allowing authenticated attackers with Administrator-level access and above to perform arbitrary file uploads. This issue arises from inadequate file type validation in the 'wpvivid_upload_import_files' function across all versions up to and including 0.9.116. If exploited, attackers could potentially upload malicious files to the server, which may facilitate remote code execution. It's important to note that the vulnerability affects sites running on the NGINX web server, as the default .htaccess configuration on Apache servers restricts access to uploaded files.

Affected Version(s)

Migration, Backup, Staging – WPvivid Backup & Migration * <= 0.9.116

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wpvivid-backup...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 3, 2025
Vulnerability Reserved
Jun 10, 2025

Credit

Ryan Kozak