The WPvivid plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the restore() and get_restore_progress() function in versions up to, and including, 0.9.94. This makes it possible for unauthenticated attackers to invoke these functions and obtain full file paths if they have access to a back-up ID.
References
Configurations
History
21 Nov 2024, 08:35
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.3 |
References | () https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid.php#L3736 - Issue Tracking | |
References | () https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid.php#L3943 - Issue Tracking | |
References | () https://plugins.trac.wordpress.org/changeset/3023214/wpvivid-backuprestore/trunk/includes/class-wpvivid.php?contextall=1&old=3007861&old_path=%2Fwpvivid-backuprestore%2Ftrunk%2Fincludes%2Fclass-wpvivid.php - Issue Tracking | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/bad0bd6b-9c88-4d31-90b5-92d3ceb8c0af?source=cve - Third Party Advisory |
12 Feb 2024, 15:55
Type | Values Removed | Values Added |
---|---|---|
First Time |
Wpvivid migration\, Backup\, Staging
Wpvivid |
|
CWE | CWE-862 | |
References | () https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid.php#L3943 - Issue Tracking | |
References | () https://plugins.trac.wordpress.org/changeset/3023214/wpvivid-backuprestore/trunk/includes/class-wpvivid.php?contextall=1&old=3007861&old_path=%2Fwpvivid-backuprestore%2Ftrunk%2Fincludes%2Fclass-wpvivid.php - Issue Tracking | |
References | () https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid.php#L3736 - Issue Tracking | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/bad0bd6b-9c88-4d31-90b5-92d3ceb8c0af?source=cve - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
CPE | cpe:2.3:a:wpvivid:migration\,_backup\,_staging:*:*:*:*:*:wordpress:*:* |
05 Feb 2024, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-05 22:15
Updated : 2024-11-21 08:35
NVD link : CVE-2023-4637
Mitre link : CVE-2023-4637
CVE.ORG link : CVE-2023-4637
JSON object : View
Products Affected
wpvivid
- migration\,_backup\,_staging
CWE
CWE-862
Missing Authorization