Migration, Backup, Staging Vulnerability– WPvivid – Missing Authorization – CVE-2024-1982 | WordPress Plugin Vulnerability Report
Plugin Name: Migration, Backup, Staging – WPvivid
Key Information:
- Software Type: Plugin
- Software Slug: wpvivid-backuprestore
- Software Status: Active
- Software Author: wpvividplugins
- Software Downloads: 6,465,323
- Active Installs: 400,000
- Last Updated: February 28, 2024
- Patched Versions: 0.9.69
- Affected Versions: <= 0.9.68
Vulnerability Details:
- Name: WPvivid Backup and Migration <= 0.9.68
- Title: Missing Authorization
- Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
- CVE: CVE-2024-1982
- CVSS Score: 6.5
- Publicly Published: February 28, 2024
- Researcher: Denis Werner - HiSolutions AG
- Description: The Migration, Backup, Staging – WPvivid plugin for WordPress has been identified with a critical vulnerability due to a missing capability check on the
get_restore_progress()
andrestore()
functions. This flaw, present in all versions up to 0.9.68, potentially allows unauthenticated attackers to carry out SQL injection attacks or induce a Denial of Service (DoS) condition, compromising site stability and security.
Summary:
The widely utilized WordPress plugin, Migration, Backup, Staging – WPvivid, faces a significant security challenge due to a missing authorization vulnerability, cataloged under CVE-2024-1982. This vulnerability impacts versions up to 0.9.68 and has been effectively addressed in the recent update, version 0.9.69.
Detailed Overview:
Discovered by Denis Werner from HiSolutions AG, this vulnerability underscores the importance of stringent capability checks within plugin functionalities. The absence of such checks in critical functions like get_restore_progress()
and restore()
opens the door for attackers to exploit the plugin, leading to SQL injections and DoS attacks. The newly released patch 0.9.69 rectifies this security lapse, reinforcing the plugin’s defenses against unauthorized access and potential exploits.
Advice for Users:
- Immediate Action: It is imperative for users of the WPvivid plugin to update to the patched version 0.9.69 immediately to safeguard their sites from potential exploitation.
- Check for Signs of Vulnerability: Administrators should closely monitor their sites for any signs of unauthorized access or unusual activities that could indicate exploitation attempts.
- Alternate Plugins: While the patched version is now secure, users might explore other reputable backup and migration plugins as a precautionary measure, ensuring they also adhere to best security practices.
- Stay Updated: Consistently updating all WordPress plugins, themes, and core files is crucial for maintaining site security and functionality, thereby mitigating known vulnerabilities.
Conclusion:
The prompt resolution of CVE-2024-1982 in the WPvivid plugin highlights the ongoing need for vigilance and proactive security measures within the WordPress community. For site owners, particularly small business operators who may not have extensive technical resources, this incident serves as a critical reminder of the importance of regular updates and security best practices. Engaging in regular security audits, employing reputable plugins, and staying abreast of the latest security advisories are key strategies in protecting digital assets and ensuring a secure online presence.
References:
- Wordfence Vulnerability Report for WPvivid Backup and Migration
- Wordfence Vulnerabilities Database