“There is a missing authorization check in the WPvivid plugin that can lead to the exposure of the database and all files of the WordPress site.” reads the post published by WebARX.
The WPvivid Backup Plugin is a free all-in-one backup, restore and migration WordPress plugin, which has over 40,000 active installations
It allows users to easily migrate a copy of a WP site to a new host (a new domain), schedule backups, send backups to leading remote storage.
The analysis of the code revealed the presence of several wp_ajax actions that miss the authorization check leading to Cross-Site Request Forgery (CSRF) attacks.
The most impacted action is the ‘wp_ajax_wpvivid_add_remote’, means that users with any role could add a new storage location and use it as the default backup location.
“This means that the next time the backup runs, it will use this backup location and upload the backup to this location.” continues the analysis.
“For example, an evil person could set up
Experts explained that once the attackers have set up a new storage location, the next time the plugin will run, it would upload the backup to it. An authenticated attacker could set the plugin to send the backup to a remote location under the control of the attacker, giving it access to any file on the website.
The CSRF vulnerability could be also exploited by remote attackers to trick an admin user to execute an unwanted admin action implemented by the plugin.
Below the timeline for this vulnerability:
28-02-2020 – Discovery of the vulnerability in WPvivid and release of a virtual patch to all WebARX customers.
28-02-2020 – Reported the issue to the developer of the WPvivid plugin.
05-03-2020 – Asked for update regarding the report.
17-03-2020 – New version released that fixes the vulnerability in WPvivid plugin.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.