Arbitrary File Upload Vulnerability in WPvivid Backup & Migration Plugin for WordPress
CVE-2025-5961
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 3 July 2025
What is CVE-2025-5961?
The WPvivid Backup & Migration plugin for WordPress contains a vulnerability allowing authenticated attackers with Administrator-level access and above to perform arbitrary file uploads. This issue arises from inadequate file type validation in the 'wpvivid_upload_import_files' function across all versions up to and including 0.9.116. If exploited, attackers could potentially upload malicious files to the server, which may facilitate remote code execution. It's important to note that the vulnerability affects sites running on the NGINX web server, as the default .htaccess configuration on Apache servers restricts access to uploaded files.
Affected Version(s)
WPvivid β Backup, Migration & Staging 0 <= 0.9.116
References
EPSS Score
6% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved