{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12654", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-03T20:38:20.329Z", "datePublished": "2025-12-21T03:20:05.772Z", "dateUpdated": "2026-04-08T16:57:56.783Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:56.783Z"}, "affected": [{"vendor": "wpvividplugins", "product": "WPvivid \u2014 Backup, Migration & Staging", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.9.120", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Migration, Backup, Staging \u2013 WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories."}], "title": "Migration, Backup, Staging \u2013 WPvivid Backup & Migration <= 0.9.120 - Authenticated (Admin+) Arbitrary Directory Creation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/662aa8dd-69b7-49e3-811c-04329544e106?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1535"}, {"url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1571"}, {"url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1568"}, {"url": "https://wordpress.org/plugins/wpvivid-backuprestore/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397673%40wpvivid-backuprestore&new=3397673%40wpvivid-backuprestore&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-73 External Control of File Name or Path", "cweId": "CWE-73", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.7, "baseSeverity": "LOW"}}], "credits": [{"lang": "en", "type": "finder", "value": "Chokri Hammedi"}], "timeline": [{"time": "2025-12-20T14:45:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-22T15:52:09.219610Z", "id": "CVE-2025-12654", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T15:52:30.679Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12654", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-22T15:52:09.219610Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T15:52:20.318Z"}}], "cna": {"title": "Migration, Backup, Staging \u2013 WPvivid Backup & Migration <= 0.9.120 - Authenticated (Admin+) Arbitrary Directory Creation", "credits": [{"lang": "en", "type": "finder", "value": "Chokri Hammedi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 2.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpvividplugins", "product": "WPvivid \u2014 Backup, Migration & Staging", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.9.120"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-20T14:45:41.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/662aa8dd-69b7-49e3-811c-04329544e106?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1535"}, {"url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1571"}, {"url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1568"}, {"url": "https://wordpress.org/plugins/wpvivid-backuprestore/"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397673%40wpvivid-backuprestore&new=3397673%40wpvivid-backuprestore&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Migration, Backup, Staging \u2013 WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:56.783Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12654", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:57:56.783Z", "dateReserved": "2025-11-03T20:38:20.329Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-21T03:20:05.772Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Migration, Backup, Staging \u2013 WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories."}], "id": "CVE-2025-12654", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-21T04:16:04.023", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1535"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1568"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1571"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397673%40wpvivid-backuprestore&new=3397673%40wpvivid-backuprestore&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/wpvivid-backuprestore/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/662aa8dd-69b7-49e3-811c-04329544e106?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:56:36.264408+00:00", "value": {"mitigation_remediation": ["Update the WPvivid plugin to a version that resolves the directory-creation check, such as 0.9.121 or newer.", "If the plugin is no longer required, uninstall or disable it to eliminate the attack surface.", "Ensure only trusted administrators retain access to the plugin\u2019s staging and backup functions, and consider tightening role permissions or removing the Staging feature if it is unnecessary for your environment."], "summary": {"action": "Apply Update", "impact": "Arbitrary Directory Creation via authenticated Administrator-level access"}, "threat_synthesis": {"affected_systems": "WordPress sites running the WPvivid plugin (Backup, Migration & Staging) under any administrator or super\u2011user account, including all releases through and including 0.9.120.\n", "description_and_impact": "The WPvivid Backup & Migration plugin up to version 0.9.120 contains code that improperly validates the location and permissions for directory creation. This flaw allows an authenticated user with Administrator or higher privileges to create directories in arbitrary locations on the WordPress file system. The creation of directories can be a stepping stone to further malicious activity, such as uploading executable files, but the CVE description does not detail any subsequent exploitation.\n", "risk_and_exploitability": "The CVSS score of 2.7 reflects a low severity, and the EPSS score of less than 1 percent indicates a very small probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access with Administrator privileges, typically achieved through a legitimate admin session or compromise of such credentials. Once accessed, the attacker can create directories at will within the allowed file system paths. No public exploit code is documented, and the attack vector is local to the WordPress admin interface.\n"}}}}, "created": "2025-12-23T22:52:28.135669+00:00", "updated": "2026-04-21T17:00:12.327015+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpvividplugins", "wpvividplugins$PRODUCT$migration_backup_staging_wpvivd_backup_and_migration"]}