CVE-2025-12656
⚪ Do wiadomości
Luka w wtyczce WPvivid Backup & Migration pozwala na usunięcie dowolnych folderów przez atakujących.
CVSS
3.8
EPSS
0.0%
Exploit
none
Vendor
Opis źródłowy (NVD)
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the delete_cancel_staging_site() function in all versions up to, and including, 0.9.128. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary folders on the server, which leads to a loss of data.
brak
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 3.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-06-06 00:16:40 UTC |
| Ostatnia modyfikacja (NVD) | 2026-06-08 14:57:14 UTC |
Referencje
- https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1268 (security@wordfence.com)
- https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1282 (security@wordfence.com)
- https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1296 (security@wordfence.com)
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3556022%40wpvivid-backuprestore&new=3556022%40wpvivid-backuprestore&sfp_email=&sfph_mail= (security@wordfence.com)
- https://wordpress.org/plugins/wpvivid-backuprestore/ (security@wordfence.com)
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2f5962e5-3dc7-4f93-889c-d5e3530c7dba?source=cve (security@wordfence.com)