WPvivid < 0.9.113 – Admin+ Arbitrary File Upload | CVE 2024-13869 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers.

Affects Plugins

wpvivid-backuprestore

Fixed in 0.9.113

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0082e46d-fdbe-4ab7-bba3-0681a25d4495

Miscellaneous

Original Researcher

Ryan Kozak

Verified

No

WPVDB ID

b5e8196c-9d91-4318-83ec-ced2e8085017

Timeline

Publicly Published

2025-02-21 (about 1 year ago)

Added

2025-02-22 (about 1 year ago)

Last Updated

2025-02-22 (about 1 year ago)

Other

Published

Title

Published

2025-03-28

Title

SoJ Soundslides <= 1.2.2 - Authenticated (Contributor+) Arbitrary File Upload

Published

2014-11-25

Title

Gallery Bank <= 3.0.60 - Shell Upload

Published

2023-04-18

Title

OoohBoi Steroids for Elementor < 2.1.5 - Arbitrary File Upload

Published

2021-06-24

Title

ZoomSounds < 6.05 - Unauthenticated Arbitrary File Upload

Published

2024-05-10

Title

Z-Downloads < 1.11.4 - Authenticated (Admin+) Arbitrary File Upload