WordPress Plugin Vulnerabilities

WPvivid < 0.9.95 - Missing Authorization

Description

The plugin vulnerable to unauthorized access of data due to a missing capability check on the restore() and get_restore_progress() function, making it possible for unauthenticated attackers to invoke these functions and obtain full file paths if they have access to a back-up ID.

Affects Plugins

Plugin icon
wpvivid-backuprestore
Fixed in 0.9.95

References

CVE
CVE-2023-4637
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/bad0bd6b-9c88-4d31-90b5-92d3ceb8c0af

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Revan Arifio
Verified
No
WPVDB ID
fcbf8cf1-d958-4e84-8287-c132974c5e26

Timeline

Publicly Published
2024-01-19 (about 2 years ago)
Added
2024-01-26 (about 2 years ago)
Last Updated
2024-01-26 (about 2 years ago)

Other

Published
Title
Published
2026-01-29
Title
Easy Hotel Booking <= 1.8.4 - Missing Authorization
Published
2024-03-07
Title
affiliate-toolkit – WordPress Affiliate Plugin < 3.5.5 - Missing Authorization via atkp_create_list
Published
2025-12-04
Title
AdForest < 6.0.12 - Missing Authorization
Published
2023-12-06
Title
System Dashboard < 2.8.8 - Missing Authorization to Information Disclosure (sd_db_specs)
Published
2026-03-12
Title
Appointment Booking Calendar < 1.6.10.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure via Settings REST API Endpoint