WPvivid Backup Plugin < 0.9.91 – Missing Authorization via 'start_staging' and 'get_staging_progress' | CVE 2023-41243 | Plugin Vulnerabilities

Description

The WPvivid Backup Plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_staging' and 'get_staging_progress' functions in versions up to, and including, 0.9.90. This makes it possible for authenticated attackers to create new staging sites and fresh WordPress installations on the server that use arbitrary database connections under the attacker's control. This can allow full site takeover via an attacker who grants themselves administrator privileges on the new database, at which point the site they control shares a file system with the victim site.

Affects Plugins

wpvivid-backuprestore

Fixed in 0.9.91

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/28e723ee-e99a-4ec4-b492-bfba04d27fd0

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen Anh Tien

Verified

No

WPVDB ID

4f8178ab-962b-418c-9c31-a7a717c3d6f4

Timeline

Publicly Published

2023-09-12 (about 2 years ago)

Added

2023-11-24 (about 2 years ago)

Last Updated

2023-12-11 (about 2 years ago)

Other

Published

Title

Published

2026-02-11

Title

Restaurant and Cafe < 1.2.6 - Missing Authorization

Published

2026-02-09

Title

PopupKit < 2.2.1 - Missing Authorization to Sensitive Information Disclosure and Data Deletion

Published

2025-03-31

Title

StaticPress <= 0.4.5 - Missing Authorization

Published

2024-09-24

Title

myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification < 2.7.4 - Missing Authorization to Unauthenticated Database Upgrade

Published

2023-10-17

Title

Themify Ultra < 7.3.6 - Missing Authorization