CVSS: 8.3EPSS: 5%CPEs: 1EXPL: 1CVE-2024-13869 – Migration, Backup, Staging – WPvivid <= 0.9.112 - Authenticated (Admin+) Arbitrary File Upload via wpvivid_upload_file
https://notcve.org/view.php?id=CVE-2024-13869
21 Feb 2025 — The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all versions up to, and including, 0.9.112. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the ... • https://github.com/d0n601/CVE-2024-13869 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-10962 – Migration, Backup, Staging – WPvivid <= 0.9.107 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-10962
13 Nov 2024 — The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the 'replace_row_data' and 'replace_serialize_data' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to del... • https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging-copy-db-ex.php#L1104 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.2EPSS: 8%CPEs: 1EXPL: 0CVE-2024-3054 – WPvivid Backup & Migration Plugin <= 0.9.99 - Authenticated (Admin+) PHAR Deserialization
https://notcve.org/view.php?id=CVE-2024-3054
11 Apr 2024 — WPvivid Backup & Migration Plugin for WordPress is vulnerable to PHAR Deserialization in all versions up to, and including, 0.9.99 via deserialization of untrusted input at the wpvividstg_get_custom_exclude_path_free action. This is due to the plugin not providing sufficient path validation on the tree_node[node][id] parameter. This makes it possible for authenticated attackers, with admin-level access and above, to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Object... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3067224%40wpvivid-backuprestore&new=3067224%40wpvivid-backuprestore&sfp_email=&sfph_mail= • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 0CVE-2024-1981 – WPvivid Backup and Migration <= 0.9.68 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2024-1981
28 Feb 2024 — The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to SQL Injection via the 'table_prefix' parameter in version 0.9.68 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. El complemento Migration, Backup, Staging – WPvivid para Word... • https://plugins.trac.wordpress.org/changeset?old_path=%2Fwpvivid-backuprestore%2Ftrunk&old=2667839&new_path=%2Fwpvivid-backuprestore%2Ftrunk&new=2667839 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.4EPSS: 1%CPEs: 1EXPL: 0CVE-2024-1982 – WPvivid Backup and Migration <= 0.9.68 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-1982
28 Feb 2024 — The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the get_restore_progress() and restore() functions in all versions up to, and including, 0.9.68. This makes it possible for unauthenticated attackers to exploit a SQL injection vulnerability or trigger a DoS. El complemento Migration, Backup, Staging – WPvivid para WordPress es vulnerable al acceso no autorizado debido a una falta de verificación de capacidad en las funcion... • https://plugins.trac.wordpress.org/changeset?old_path=%2Fwpvivid-backuprestore%2Ftrunk&old=2667839&new_path=%2Fwpvivid-backuprestore%2Ftrunk&new=2667839 • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 0CVE-2024-1383 – WPvivid Backup for MainWP <= 0.9.32 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-1383
28 Feb 2024 — The WPvivid Backup for MainWP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 0.9.32 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. El complemento WPvivid Backup for MainWP para WordPress es vulnerable a Cross-Site Scr... • https://plugins.trac.wordpress.org/browser/wpvivid-backup-mainwp/trunk/wpvivid-backup-mainwp.php#L525 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36835 – Migration, Backup, Staging – WPvivid <= 0.9.35 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2020-36835
23 Mar 2020 — The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to sensitive information disclosure of a WordPress site's database due to missing capability checks on the wp_ajax_wpvivid_add_remote AJAX action that allows low-level authenticated attackers to send back-ups to a remote location of their choice for review. This affects versions up to, and including 0.9.35. • https://www.wordfence.com/threat-intel/vulnerabilities/id/90c3f8bc-fc41-4ba7-b9f2-8873203d5794?source=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 22%CPEs: 1EXPL: 1CVE-2020-36842 – Migration, Backup, Staging – WPvivid <= 0.9.35 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2020-36842
13 Mar 2020 — The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the wpvivid_upload_import_files and wpvivid_upload_files AJAX actions that allows low-level authenticated attackers to upload zip files that can be subsequently extracted. This affects versions up to, and including 0.9.35. El complemento Migration, Backup, Staging – WPvivid para WordPress es vulnerable a la carga de archivos arbitrarios debido a una verificación de capac... • https://github.com/Nxploited/CVE-2020-36842 • CWE-434: Unrestricted Upload of File with Dangerous Type •