CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 0CVE-2023-4637 – WPvivid <= 0.9.94 - Missing Authorization
https://notcve.org/view.php?id=CVE-2023-4637
19 Jan 2024 — The WPvivid plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the restore() and get_restore_progress() function in versions up to, and including, 0.9.94. This makes it possible for unauthenticated attackers to invoke these functions and obtain full file paths if they have access to a back-up ID. El complemento WPvivid para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificación de capacidad en las funciones restore()... • https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid.php#L3736 • CWE-862: Missing Authorization •
CVSS: 9.4EPSS: 1%CPEs: 1EXPL: 0CVE-2023-5576 – Migration, Backup, Staging – WPvivid <= 0.9.91 - Google Drive Client Secret Exposure
https://notcve.org/view.php?id=CVE-2023-5576
13 Oct 2023 — The Migration, Backup, Staging - WPvivid plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 0.9.91 via Google Drive API secrets stored in plaintext in the publicly visible plugin source. This could allow unauthenticated attackers to impersonate the WPVivid Google Drive account via the API if they can trick a user into reauthenticating via another vulnerability or social engineering. El complemento Migration, Backup, Staging - WPvivid para WordPress es vuln... • https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.91/includes/customclass/client_secrets.json • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5120 – Migration, Backup, Staging – WPvivid <= 0.9.89 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-5120
22 Sep 2023 — The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image file path parameter in versions up to, and including, 0.9.89 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Migration, Backup, Staging – WPvivid para WordPress es vulnerable a Cro... • https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.89/includes/upload-cleaner/class-wpvivid-uploads-cleaner.php#L161 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5121 – Migration, Backup, Staging – WPvivid <= 0.9.89 - Authenticated (Administrator+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-5121
22 Sep 2023 — The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings (the backup path parameter) in versions up to, and including, 0.9.89 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installa... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2956458%40wpvivid-backuprestore%2Ftrunk&old=2948265%40wpvivid-backuprestore%2Ftrunk&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4274 – Migration, Backup, Staging – WPvivid <= 0.9.89 - Authenticated (Administrator+) Arbitrary Directory Deletion via Path Traversal
https://notcve.org/view.php?id=CVE-2023-4274
22 Sep 2023 — The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 0.9.89. This allows authenticated attackers with administrative privileges to delete the contents of arbitrary directories on the server, which can be a critical issue in a shared environments. El complemento Migration, Backup, Staging – WPvivid para WordPress es vulnerable a Directory Traversal en versiones hasta la 0.9.89 incluida. Esto permite a atacantes autenticados con p... • https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.89/includes/class-wpvivid-setting.php#L200 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 3%CPEs: 1EXPL: 4CVE-2022-2863 – WPvivid Backup < 0.9.76 - Admin+ Arbitrary File Read
https://notcve.org/view.php?id=CVE-2022-2863
22 Aug 2022 — The Migration, Backup, Staging WordPress plugin before 0.9.76 does not sanitise and validate a parameter before using it to read the content of a file, allowing high privilege users to read any file from the web server via a Traversal attack El plugin Migration, Backup, Staging de WordPress versiones anteriores a 0.9.76 no sanea y comprueba un parámetro antes de usarlo para leer el contenido de un archivo, permitiendo a usuarios con altos privilegios leer cualquier archivo del servidor web por medio de un a... • https://packetstorm.news/files/id/168616 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2442 – Migration, Backup, Staging – WPvivid <= 0.9.74 - Authenticated (Admin+) PHAR Deserialization
https://notcve.org/view.php?id=CVE-2022-2442
10 Aug 2022 — The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to deserialization of untrusted input via the 'path' parameter in versions up to, and including 0.9.74. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a fi... • https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging.php?rev=2749419#L1747 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27844 – WordPress WPvivid plugin <= 0.9.70 - Arbitrary File Read vulnerability
https://notcve.org/view.php?id=CVE-2022-27844
07 Apr 2022 — Arbitrary File Read vulnerability in WPvivid Team Migration, Backup, Staging – WPvivid (WordPress plugin) versions <= 0.9.70 Una vulnerabilidad de lectura arbitraria de archivos en WPvivid Team Migration, Backup, Staging - WPvivid (plugin de WordPress) versiones anteriores a 0.9.70 incluyéndola • https://patchstack.com/database/vulnerability/wpvivid-backuprestore/wordpress-wpvivid-plugin-0-9-70-arbitrary-file-read-vulnerability • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0531 – WPvivid Backup and Migration Plugin < 0.9.70 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0531
21 Mar 2022 — The Migration, Backup, Staging WordPress plugin before 0.9.70 does not sanitise and escape the sub_page parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting El plugin Migration, Backup, Staging de WordPress versiones anteriores a 0.9.70, no sanea ni escapa del parámetro sub_page antes de devolverlo a la página, conllevando a un problema de tipo Cross-Site Scripting Reflejado The Migration, Backup, Staging WordPress plugin before 0.9.70 does not sanitise and escape the... • https://wpscan.com/vulnerability/ac5c2a5d-09b6-470b-a598-2972183413ca • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 1CVE-2021-24994 – WPvivid Backup and Migration Plugin < 0.9.69 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24994
31 Jan 2022 — The Migration, Backup, Staging WordPress plugin before 0.9.69 does not have authorisation when adding remote storages, and does not sanitise as well as escape a parameter from such unauthenticated requests before outputting it in admin page, leading to a Stored Cross-Site Scripting issue El plugin Migration, Backup, Staging de WordPress versiones anteriores a 0.9.69, no presenta autorización cuando añade almacenamientos remotos, y no sanea ni escapa un parámetro de tales peticiones no autenticadas antes de ... • https://wpscan.com/vulnerability/ea74257a-f6b0-49e9-a81f-53c0eb81b1da • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •