WordPress Plugin Vulnerabilities

Migration, Backup, Staging – WPvivid < 0.9.90 - Admin+ Arbitrary Directory Deletion via Path Traversal

Description

The plugin is vulnerable to Directory Traversal allowing authenticated bad actors with administrative privileges to delete the contents of arbitrary directories on the server, which can be a critical issue in a shared environments.

Affects Plugins

Plugin icon
wpvivid-backuprestore
Fixed in 0.9.90

References

CVE
CVE-2023-4274

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
8.7 (high)

Miscellaneous

Original Researcher
Ivan Kuzymchak
Verified
Yes
WPVDB ID
568b8c1c-abfe-4c9e-8869-9475e29fdbaa

Timeline

Publicly Published
2023-09-22 (about 2 years ago)
Added
2023-10-20 (about 2 years ago)
Last Updated
2023-10-20 (about 2 years ago)

Other

Published
Title
Published
2018-01-08
Title
Media from FTP <= 9.84 - Authenticated Directory Traversal
Published
2014-12-08
Title
Ajax Store Locator <= 1.2 - Arbitrary File Download
Published
2017-09-19
Title
WordPress 4.4-4.8.1 - Path Traversal in Customizer
Published
2024-10-14
Title
Ahime Image Printer <= 1.0.0 - Unauthenticated Arbitrary File Download
Published
2025-04-03
Title
include-file <= 1 - Authenticated (Contributor+) Arbitrary File Download