CVE-2025-12656
Deferred Deferred - Pending Action
Arbitrary Directory Deletion in WPvivid Backup & Migration WordPress Plugin

Publication date: 2026-06-06

Last updated on: 2026-06-08

Assigner: Wordfence

Description
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the delete_cancel_staging_site() function in all versions up to, and including, 0.9.128. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary folders on the server, which leads to a loss of data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-06
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-06
EPSS Evaluated
2026-06-25
NVD
CVE-2025-12656
EUVD
EUVD-2025-210080
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wpvivid backup_and_migration to 0.9.128 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress has a vulnerability that allows authenticated users with Administrator-level access or higher to delete arbitrary directories on the server. This happens because the plugin's delete_cancel_staging_site() function does not properly validate file paths before deleting, which can lead to unintended folder deletions.

Impact Analysis

This vulnerability can lead to loss of data on the server because attackers with sufficient privileges can delete arbitrary folders. This could disrupt website functionality, cause data loss, and potentially require restoration from backups or manual recovery efforts.

Detection Guidance

This vulnerability involves arbitrary directory deletion via the delete_cancel_staging_site() function in the WPvivid Backup & Migration plugin for WordPress. Detection would require verifying if the vulnerable plugin version (up to and including 0.9.128) is installed and active on your WordPress site.

Since the vulnerability requires authenticated Administrator-level access, monitoring for suspicious deletion activity or unexpected file system changes related to staging or backup directories could help detect exploitation attempts.

Specific commands to detect the vulnerability or exploitation attempts are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include updating the WPvivid Backup & Migration plugin to a version later than 0.9.128 where this vulnerability is fixed.

Restrict Administrator-level access to trusted users only, as exploitation requires such privileges.

Monitor and audit file system changes related to backup and staging directories to detect any unauthorized deletions.

Consider taking manual backups of important data before applying updates or performing staging site operations.

Compliance Impact

The vulnerability allows authenticated attackers with Administrator-level access to delete arbitrary folders on the server, leading to potential loss of data.

Such data loss could impact compliance with standards and regulations like GDPR and HIPAA, which require proper data protection, integrity, and availability.

However, the provided information does not explicitly describe the direct effects on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12656. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart