CVE-2025-5961

Name of the Vulnerable Software and Affected Versions: Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress versions up to, and including, 0.9.116

Description: The issue is related to arbitrary file uploads due to missing file type validation in the wpvivid upload import files function. This allows authenticated attackers with Administrator-level access and above to upload arbitrary files on the affected site's server, potentially making remote code execution possible. Note that uploaded files are only accessible on WordPress instances running on the NGINX web server.

Recommendations: For versions up to, and including, 0.9.116, update to a version that includes a fix for the missing file type validation in the wpvivid upload import files function. As a temporary workaround, consider restricting access to the file upload functionality to minimize the risk of exploitation. Additionally, restrict access to the uploaded files on NGINX servers to prevent potential remote code execution.