CVE-2023-4637

The WPvivid plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the restore() and get_restore_progress() function in versions up to, and including, 0.9.94. This makes it possible for unauthenticated attackers to invoke these functions and obtain full file paths if they have access to a back-up ID.
Configurations

Configuration 1 (hide)

cpe:2.3:a:wpvivid:migration\,_backup\,_staging:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 08:35

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 5.3
v2 : unknown
v3 : 4.3
References () https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid.php#L3736 - Issue Tracking () https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid.php#L3736 - Issue Tracking
References () https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid.php#L3943 - Issue Tracking () https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid.php#L3943 - Issue Tracking
References () https://plugins.trac.wordpress.org/changeset/3023214/wpvivid-backuprestore/trunk/includes/class-wpvivid.php?contextall=1&old=3007861&old_path=%2Fwpvivid-backuprestore%2Ftrunk%2Fincludes%2Fclass-wpvivid.php - Issue Tracking () https://plugins.trac.wordpress.org/changeset/3023214/wpvivid-backuprestore/trunk/includes/class-wpvivid.php?contextall=1&old=3007861&old_path=%2Fwpvivid-backuprestore%2Ftrunk%2Fincludes%2Fclass-wpvivid.php - Issue Tracking
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/bad0bd6b-9c88-4d31-90b5-92d3ceb8c0af?source=cve - Third Party Advisory () https://www.wordfence.com/threat-intel/vulnerabilities/id/bad0bd6b-9c88-4d31-90b5-92d3ceb8c0af?source=cve - Third Party Advisory

12 Feb 2024, 15:55

Type Values Removed Values Added
First Time Wpvivid migration\, Backup\, Staging
Wpvivid
CWE CWE-862
References () https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid.php#L3943 - () https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid.php#L3943 - Issue Tracking
References () https://plugins.trac.wordpress.org/changeset/3023214/wpvivid-backuprestore/trunk/includes/class-wpvivid.php?contextall=1&old=3007861&old_path=%2Fwpvivid-backuprestore%2Ftrunk%2Fincludes%2Fclass-wpvivid.php - () https://plugins.trac.wordpress.org/changeset/3023214/wpvivid-backuprestore/trunk/includes/class-wpvivid.php?contextall=1&old=3007861&old_path=%2Fwpvivid-backuprestore%2Ftrunk%2Fincludes%2Fclass-wpvivid.php - Issue Tracking
References () https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid.php#L3736 - () https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/class-wpvivid.php#L3736 - Issue Tracking
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/bad0bd6b-9c88-4d31-90b5-92d3ceb8c0af?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/bad0bd6b-9c88-4d31-90b5-92d3ceb8c0af?source=cve - Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3
CPE cpe:2.3:a:wpvivid:migration\,_backup\,_staging:*:*:*:*:*:wordpress:*:*

05 Feb 2024, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-05 22:15

Updated : 2024-11-21 08:35


NVD link : CVE-2023-4637

Mitre link : CVE-2023-4637

CVE.ORG link : CVE-2023-4637


JSON object : View

Products Affected

wpvivid

  • migration\,_backup\,_staging
CWE
CWE-862

Missing Authorization