CVE-2024-13869

Name of the Vulnerable Software and Affected Versions Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress versions up to, and including, 0.9.112

Description The issue is related to arbitrary file uploads due to missing file type validation in the upload files function. This allows authenticated attackers with Administrator-level access and above to upload arbitrary files on the affected site's server, potentially making remote code execution possible. Note that uploaded files are only accessible on WordPress instances running on the NGINX web server, as the existing .htaccess within the target file upload folder prevents access on Apache servers.

Recommendations For versions up to, and including, 0.9.112, consider disabling the upload files function as a temporary workaround until a patch is available. Restrict access to the file upload folder to minimize the risk of exploitation. Avoid using the upload files function in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.