WPvivid Backup & Migration Plugin Arbitrary File Upload Vulnerability on WordPress

A vulnerability exists in the WPvivid Backup & Migration plugin for WordPress, specifically in versions through 0.9.112. The issue arises from inadequate validation of file types in the 'upload_files' function, allowing authenticated users with Administrator-level access to upload arbitrary files to the server. This vulnerability could potentially lead to remote code execution. However, it's important to note that uploaded files are only accessible on WordPress sites using the NGINX web server, as the default .htaccess file in the upload directory blocks access on Apache servers.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which could be used to execute malicious code on the server, particularly if the uploaded file is a script that can be executed by the web server.

Reproduction

To reproduce this vulnerability, log into the WordPress admin panel and navigate to the WPvivid Backup tab. Under Backup & Restore, create a new backup and download it. Then, go to the Upload tab and select the downloaded zip file. Intercept the upload request using a tool like Burp Suite, modify it to include a PHP web shell instead of a zip file, and send the request. After receiving a success response, the web shell can be accessed and executed.

Remediation

Users are advised to update the WPvivid Backup & Migration plugin to version 0.9.113 or later.