TechRadar : WPvivid Backup & Migration plugin allowed for arbitrary file upload

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Sign up for breaking news, reviews, opinion, top tech deals, and more.

WPvivid Backup & Migration, a WordPress plugin with almost a million installs, is vulnerable to a critical-severity flaw that allows threat actors to run malicious code remotely.

Although it sounds ominous, the bug has a few limitations that make exploitation somewhat difficult.

The affected WordPress plugin lets users create site backups, restore them, and migrate sites to new domains or hosts. The core features are available for free, with optional premium upgrades for more advanced functions. It currently counts more than 900,000 active installations and more than 20,000 customers.

However security researchers Defiant found the plugin suffers from improper error handling in the RSA decryption process, combined with a lack of path sanitization. As a result, threat actors could upload arbitrary files to the server without authentication, achieving remote code execution (RCE).