“There is a missing authorization check in the WPvivid plugin that can lead to the exposure of the database and all files of the WordPress site.” reads the post published by WebARX.
The WPvivid Backup Plugin is a free all-in-one backup, restore and migration WordPress plugin, which has over 40,000 active installations
It allows users to easily migrate a copy of a WP site to a new host (a new domain), schedule backups, send backups to leading remote storage.
The analysis of the code revealed the presence of several wp_ajax actions that miss the authorization check leading to Cross-Site Request Forgery (CSRF) attacks.
The most impacted action is the ‘wp_ajax_wpvivid_add_remote’, means that users with any role could add a new storage location and use it as the default backup location.
“This means that the next time the backup runs, it will use this backup location and upload the backup to this location.” continues the analysis.
“For example, an evil person could set up
Experts explained that once the attackers have set up a new storage location, the next time the plugin will run, it would upload the backup to it. An authenticated attacker could set the plugin to send the backup to a remote location under the control of the attacker, giving it access to any file on the website.
The CSRF vulnerability could be also exploited by remote attackers to trick an admin user to execute an unwanted admin action implemented by the plugin.
Below the timeline for this vulnerability:
28-02-2020 – Discovery of the vulnerability in WPvivid and release of a virtual patch to all WebARX customers.
28-02-2020 – Reported the issue to the developer of the WPvivid plugin.
05-03-2020 – Asked for update regarding the report.
17-03-2020 – New version released that fixes the vulnerability in WPvivid plugin.