WordPress Plugin Vulnerabilities

WPvivid Backup and Migration < 0.9.69 - Unauthenticated SQLi & DoS

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on the get_restore_progress() and restore() functions, allowing unauthenticated attackers to exploit a SQL injection vulnerability or trigger a DoS.

Affects Plugins

Plugin icon
wpvivid-backuprestore
Fixed in 0.9.69

References

CVE
CVE-2024-1982
CVE
CVE-2024-1981
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4f17976e-d6b9-40fb-b2fb-d60bcfd68d12
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ef8bfb38-4f20-4f9f-bb30-a88f3be2d2d3

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Denis Werner
Verified
No
WPVDB ID
f82c7195-02ee-4adb-ba5e-9fc3cdd1893f

Timeline

Publicly Published
2024-02-28 (about 2 years ago)
Added
2024-02-29 (about 2 years ago)
Last Updated
2024-02-29 (about 2 years ago)

Other

Published
Title
Published
2024-01-31
Title
Happyforms < 1.25.11 - Missing Authorization
Published
2025-08-22
Title
Acclectic Media Organizer <= 1.4 - Missing Authorization
Published
2023-12-26
Title
Sirv < 7.1.3 - Missing Authorization via sirv_disconnect
Published
2023-11-14
Title
avalex – Automatisch sichere Rechtstexte < 3.0.9 - Missing Authorization
Published
2025-12-31
Title
Worker for WPBakery <= 1.1.1 - Missing Authorization