Main Vulnerability Database Vulnerabilities #VU26324

Improper Authorization in Backup WordPress Site by WPvivid - #VU26324

Published: March 24, 2020

Vulnerability identifier: #VU26324

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-285

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Backup WordPress Site by WPvivid

Software vendor:
wpvivid.com

Description

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to missing authorization checks in the "wp_ajax_wpvivid_add_remote" AJAX action. A remote authenticated attacker can add a new remote storage location, set it as the default backup location and gain access to sensitive database information.

This vulnerability leads to CSRF issue.

Remediation

Install updates from vendor's website.

External links

https://wpvulndb.com/vulnerabilities/10142/
https://www.webarxsecurity.com/vulnerability-in-wpvivid-backup-plugin-can-lead-to-database-leak/

Improper Authorization in Backup WordPress Site by WPvivid - #VU26324

Description

Remediation

External links

Please verify you're human