CVE-2025-12656
Arbitrary Directory Deletion in WPvivid Backup & Migration WordPress Plugin
Publication date: 2026-06-06
Last updated on: 2026-06-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpvivid | backup_and_migration | to 0.9.128 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Migration, Backup, Staging β WPvivid Backup & Migration plugin for WordPress has a vulnerability that allows authenticated users with Administrator-level access or higher to delete arbitrary directories on the server. This happens because the plugin's delete_cancel_staging_site() function does not properly validate file paths before deleting, which can lead to unintended folder deletions.
How can this vulnerability impact me? :
This vulnerability can lead to loss of data on the server because attackers with sufficient privileges can delete arbitrary folders. This could disrupt website functionality, cause data loss, and potentially require restoration from backups or manual recovery efforts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves arbitrary directory deletion via the delete_cancel_staging_site() function in the WPvivid Backup & Migration plugin for WordPress. Detection would require verifying if the vulnerable plugin version (up to and including 0.9.128) is installed and active on your WordPress site.
Since the vulnerability requires authenticated Administrator-level access, monitoring for suspicious deletion activity or unexpected file system changes related to staging or backup directories could help detect exploitation attempts.
Specific commands to detect the vulnerability or exploitation attempts are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the WPvivid Backup & Migration plugin to a version later than 0.9.128 where this vulnerability is fixed.
Restrict Administrator-level access to trusted users only, as exploitation requires such privileges.
Monitor and audit file system changes related to backup and staging directories to detect any unauthorized deletions.
Consider taking manual backups of important data before applying updates or performing staging site operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Administrator-level access to delete arbitrary folders on the server, leading to potential loss of data.
Such data loss could impact compliance with standards and regulations like GDPR and HIPAA, which require proper data protection, integrity, and availability.
However, the provided information does not explicitly describe the direct effects on compliance with these regulations.