Vulnerability Details CVE-2020-36842
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the wpvivid_upload_import_files and wpvivid_upload_files AJAX actions that allows low-level authenticated attackers to upload zip files that can be subsequently extracted. This affects versions up to, and including 0.9.35.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.239
EPSS Ranking 95.7%
CVSS Severity
CVSS v3 Score 8.8
References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2261665%40wpvivid-backuprestore%2Ftrunk&old=2252870%40wpvivid-backuprestore%2Ftrunk&sfp_email=&sfph_mail=
- https://www.webarxsecurity.com/vulnerability-in-wpvivid-backup-plugin-can-lead-to-database-leak/?fbclid=IwAR3Ve74ZIvmx-aC0OssIWYwcWEjGq6yU16DcyVGHD1XUT3uYaZ3QyVu_Eos&utm_content=buffer4435b&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer
- https://www.wordfence.com/threat-intel/vulnerabilities/id/de1da248-2e03-40fa-8997-7176dc06abc9?source=cve
Products affected by CVE-2020-36842
-
_backup
-
_staging:-
-
_staging:0.9.1
-
_staging:0.9.10
-
_staging:0.9.11
-
_staging:0.9.12
-
_staging:0.9.13
-
_staging:0.9.14
-
_staging:0.9.15
-
_staging:0.9.16
-
_staging:0.9.17
-
_staging:0.9.18
-
_staging:0.9.19
-
_staging:0.9.2
-
_staging:0.9.20
-
_staging:0.9.21
-
_staging:0.9.22
-
_staging:0.9.23
-
_staging:0.9.24
-
_staging:0.9.25
-
_staging:0.9.26
-
_staging:0.9.27
-
_staging:0.9.28
-
_staging:0.9.29
-
_staging:0.9.3
-
_staging:0.9.30
-
_staging:0.9.31
-
_staging:0.9.32
-
_staging:0.9.33
-
_staging:0.9.34
-
_staging:0.9.35
-
_staging:0.9.4
-
_staging:0.9.5
-
_staging:0.9.6
-
_staging:0.9.7
-
_staging:0.9.8
-
_staging:0.9.9
-
cpe:2.3:a:wpvivid:migration