CVE-2025-12654
Arbitrary Directory Creation in WPvivid Backup Plugin
Publication date: 2025-12-21
Last updated on: 2025-12-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpvivid | backup_migration | 0.9.120 |
| wpvivid | backup_migration | 0.9.121 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the WPvivid Backup & Migration WordPress plugin (up to version 0.9.120) and allows authenticated users with Administrator-level access or higher to create arbitrary directories on the server. The issue arises because the function check_filesystem_permissions() does not properly restrict where or what directories can be created, enabling directory creation beyond intended limits. [3]
How can this vulnerability impact me? :
An attacker with Administrator-level access could exploit this vulnerability to create arbitrary directories on the server. This could potentially be used to store malicious files, interfere with site operations, or prepare for further attacks. Although the CVSS score is low (2.7), indicating limited impact, the ability to create directories arbitrarily can lead to increased risk of site compromise or data integrity issues. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WPvivid Backup & Migration plugin version is 0.9.120 or earlier, as these versions allow arbitrary directory creation due to improper filesystem permission checks. Specifically, you can verify if the plugin attempts to create directories without proper restrictions by testing filesystem permissions similar to the plugin's AJAX permission check: attempt to create and delete a directory and a test file within it. Commands to manually test this on the server could include: 1) mkdir -p /path/to/testdir 2) touch /path/to/testdir/wpvividstg_test_file.txt 3) rm -rf /path/to/testdir If these commands succeed without proper restrictions, the system may be vulnerable. Additionally, monitoring WordPress admin AJAX calls related to staging site creation and filesystem permission checks (e.g., wp_ajax_wpvividstg_check_filesystem_permissions_free) can help detect exploitation attempts. However, no explicit detection commands are provided in the resources. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating the WPvivid Backup & Migration plugin to version 0.9.121 or later, where the vulnerability is addressed by improved filesystem permission checks and safer staging site creation processes. 2) Restricting administrator-level access to trusted users only, since exploitation requires authenticated admin privileges. 3) Monitoring and restricting AJAX endpoints related to staging and filesystem permissions to prevent unauthorized directory creation. 4) Ensuring proper filesystem permissions (e.g., directories set to 755) to prevent unauthorized directory or file creation by the plugin or attackers. These steps reduce the risk of arbitrary directory creation by authenticated attackers. [3, 2]