CVE-2025-12654 identifies a security vulnerability in the Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress, affecting all versions up to and including 0.9.120. The vulnerability stems from the check_filesystem_permissions() function, which fails to properly restrict directory creation to safe locations or enforce strict directory naming controls. As a result, authenticated users with Administrator-level privileges or higher can create arbitrary directories anywhere within the file system accessible to the plugin. This is classified under CWE-73 (External Control of File Name or Path), indicating that external input improperly influences file or directory paths. The vulnerability does not allow direct code execution or data disclosure but can undermine system integrity by enabling attackers to create directories that may be used for malicious payload storage, log manipulation, or to facilitate privilege escalation in chained attacks. The CVSS v3.1 base score is 2.7, reflecting low severity due to the requirement for high privileges and no direct impact on confidentiality or availability. No patches or exploits are currently publicly available, but the issue is published and should be addressed by plugin maintainers. The vulnerability is network exploitable but requires authenticated administrator access, limiting its attack surface primarily to compromised or insider accounts.

The primary impact of this vulnerability is on system integrity, as attackers with administrator access can create arbitrary directories, potentially enabling further malicious activities such as planting backdoors, manipulating backups, or interfering with site operations. Although it does not directly compromise confidentiality or availability, the ability to control directory creation can facilitate more complex attack chains, including privilege escalation or persistence mechanisms. Organizations relying on WPvivid Backup & Migration for critical backup and migration tasks may face risks of data tampering or disruption of backup integrity. The requirement for administrator-level authentication reduces the likelihood of remote exploitation by external attackers but increases risk from insider threats or compromised admin accounts. The vulnerability could also complicate incident response and recovery if attackers use created directories to hide malicious files or logs. Overall, the impact is moderate in environments with strong access controls but could be more severe where admin credentials are weak or shared.

1. Restrict administrative access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of compromised admin accounts. 2. Monitor and audit directory creation activities within the WordPress installation, focusing on unusual or unexpected directory paths created by the WPvivid plugin. 3. Apply security patches promptly once the plugin vendor releases updates addressing this vulnerability. 4. In the absence of an immediate patch, consider temporarily disabling or limiting the use of the WPvivid Backup & Migration plugin, especially on high-value or production sites. 5. Implement file system integrity monitoring tools to detect unauthorized directory or file creation. 6. Review and harden WordPress file permissions to limit the plugin’s ability to write outside intended directories. 7. Educate administrators about the risks of this vulnerability and encourage vigilance for suspicious activity. 8. Regularly back up WordPress sites using alternative trusted methods to ensure recovery capability in case of compromise.