CVE-2025-5961 is a high-severity vulnerability affecting the WordPress plugin 'Migration, Backup, Staging – WPvivid Backup & Migration' developed by wpvividplugins. The vulnerability arises from improper validation of file types in the 'wpvivid_upload_import_files' function, allowing authenticated users with Administrator-level privileges or higher to upload arbitrary files to the server. This lack of file type restriction corresponds to CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability affects all versions up to and including 0.9.116. Exploitation could lead to remote code execution (RCE) if malicious files are uploaded and executed on the server. However, the exploitability is contingent on the web server environment: uploaded files are accessible only on WordPress instances running on NGINX because Apache servers typically have .htaccess rules in the upload directory that block direct access to uploaded files, mitigating the risk of execution. The CVSS 3.1 base score is 7.2, reflecting high severity, with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. This vulnerability is critical because it allows an authenticated administrator to bypass file upload restrictions, potentially leading to full server compromise if the environment is vulnerable (NGINX-based).

For European organizations using WordPress sites with the WPvivid Backup & Migration plugin, this vulnerability poses a significant risk, especially for those hosting their sites on NGINX web servers. Successful exploitation could lead to remote code execution, allowing attackers to execute arbitrary commands, deploy backdoors, steal sensitive data, or disrupt services. Given the high prevalence of WordPress in Europe for business and governmental websites, and the common use of NGINX in hosting environments, the threat could impact confidentiality, integrity, and availability of critical web assets. Organizations handling personal data under GDPR could face severe compliance and reputational consequences if exploited. Additionally, attackers with administrator access could leverage this vulnerability to pivot within networks, escalating attacks beyond the web server. The absence of known exploits in the wild currently reduces immediate risk, but the vulnerability's presence in a widely used plugin and the ease of exploitation by privileged users make it a critical concern for European entities relying on this plugin for backup and migration tasks.

1. Immediate upgrade: Organizations should update the WPvivid Backup & Migration plugin to a version patched against CVE-2025-5961 once released by the vendor. 2. Restrict administrator access: Limit the number of users with Administrator-level privileges to reduce the attack surface. 3. Harden server configurations: For NGINX servers, implement strict access controls on upload directories to prevent execution of uploaded files, such as disabling script execution in upload folders. 4. Monitor file uploads: Deploy monitoring and alerting for unusual file uploads or changes in the upload directories. 5. Web Application Firewall (WAF): Use WAF rules to detect and block suspicious file upload attempts or malicious payloads. 6. Backup and incident response: Maintain regular backups and have an incident response plan ready to quickly remediate any compromise. 7. Audit plugin usage: Evaluate the necessity of the WPvivid plugin and consider alternative plugins with better security track records if appropriate. 8. For Apache servers, verify .htaccess rules remain intact and effective to prevent direct access to uploaded files.