CVE-2025-12654: CWE-73 External Control of File Name or Path in wpvividplugins WPvivid — Backup, Migration & Staging
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories.
AI Analysis
Technical Summary
The WPvivid Backup, Migration & Staging plugin for WordPress contains an arbitrary directory creation vulnerability (CWE-73) in all versions up to and including 0.9.120. This occurs because the check_filesystem_permissions() function does not properly restrict where directories can be created, enabling authenticated administrators to create directories at arbitrary locations. The CVSS 3.1 base score is 2.7, reflecting low severity with network attack vector, low complexity, high privileges required, no user interaction, and limited impact on integrity only.
Potential Impact
An attacker with Administrator-level access can create arbitrary directories on the file system where the plugin operates. This could potentially be used to manipulate the file system structure but does not directly lead to confidentiality or availability impacts. There are no known exploits in the wild. The impact is limited due to the requirement for high privileges and no direct data disclosure or service disruption.
Mitigation Recommendations
No official patch or remediation guidance is currently available from the vendor. Users should monitor the vendor's advisory channels for updates. Since exploitation requires Administrator-level access, ensuring strict access controls and limiting administrator accounts can reduce risk. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2025-12654: CWE-73 External Control of File Name or Path in wpvividplugins WPvivid — Backup, Migration & Staging
Description
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The WPvivid Backup, Migration & Staging plugin for WordPress contains an arbitrary directory creation vulnerability (CWE-73) in all versions up to and including 0.9.120. This occurs because the check_filesystem_permissions() function does not properly restrict where directories can be created, enabling authenticated administrators to create directories at arbitrary locations. The CVSS 3.1 base score is 2.7, reflecting low severity with network attack vector, low complexity, high privileges required, no user interaction, and limited impact on integrity only.
Potential Impact
An attacker with Administrator-level access can create arbitrary directories on the file system where the plugin operates. This could potentially be used to manipulate the file system structure but does not directly lead to confidentiality or availability impacts. There are no known exploits in the wild. The impact is limited due to the requirement for high privileges and no direct data disclosure or service disruption.
Mitigation Recommendations
No official patch or remediation guidance is currently available from the vendor. Users should monitor the vendor's advisory channels for updates. Since exploitation requires Administrator-level access, ensuring strict access controls and limiting administrator accounts can reduce risk. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-03T20:38:20.329Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 694770dcdaa649f7237704bb
Added to database: 12/21/2025, 4:00:28 AM
Last enriched: 4/9/2026, 4:17:23 PM
Last updated: 5/10/2026, 5:40:19 AM
Views: 129
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.