WPvivid Backup & Migration
cpe:2.3:a:wpvivid:migration,_backup,_staging:*:*:*:*:wordpress:*:*
- <= 0.9.123
A vulnerability allowing unauthenticated arbitrary file uploads has been identified in the WPvivid Backup & Migration plugin for WordPress, affecting versions through 0.9.123. The issue arises from improper error handling during the RSA decryption process, coupled with a lack of path sanitization for uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it incorrectly continues execution by passing a false value to the phpseclib library's AES cipher initialization. This false value is interpreted as a string of null bytes, enabling an attacker to encrypt a malicious payload with a predictable null-byte key. Furthermore, the plugin allows filenames from the decrypted payload without proper sanitization, creating a directory traversal vulnerability that can escape the protected backup directory. As a result, unauthenticated attackers can upload arbitrary PHP files to publicly accessible directories and execute them remotely using the wpvivid_action=send_to_site parameter.
Exploitation of this vulnerability allows for unauthenticated users to upload files to the server, potentially leading to remote code execution if the uploaded files are executed as scripts.
To reproduce this vulnerability, upload a file through the WPvivid Backup & Migration plugin's 'send to site' feature. The plugin will decrypt the session key incorrectly, allowing the upload of a file with a malicious payload, such as a PHP script. The uploaded file can then be executed, leading to remote code execution.
Users are advised to update the WPvivid Backup & Migration plugin to version 0.9.124 or later.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.