WPvivid Vulnerability – Missing Authorization – CVE-2023-4637 | WordPress Plugin Vulnerability Report

Plugin Name: WPvivid

Key Information:

  • Software Type: Plugin
  • Software Slug: wpvivid-backuprestore
  • Software Status: Active
  • Software Author: wpvividplugins
  • Software Downloads: 6,203,119
  • Active Installs: 400,000
  • Last Updated: January 19, 2024
  • Patched Versions: 0.9.95
  • Affected Versions: <= 0.9.94

Vulnerability Details:

  • Name: WPvivid <= 0.9.94 - Missing Authorization
  • Title: Missing Authorization
  • Type: Missing Authorization
  • CVE: CVE-2023-4637
  • CVSS Score: 4.3 (Medium)
  • Publicly Published: January 19, 2024
  • Researcher: Revan Arifio
  • Description: The WPvivid plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the restore() and get_restore_progress() function in versions up to, and including, 0.9.94. This makes it possible for unauthenticated attackers to invoke these functions and obtain full file paths if they have access to a back-up ID.

Summary:

The WPvivid plugin for WordPress has a vulnerability in versions up to and including 0.9.94 that allows unauthorized access to restore functions and backup data. This vulnerability has been patched in version 0.9.95.

Detailed Overview:

The WPvivid plugin did not have proper authorization checks on the restore() and get_restore_progress() functions prior to version 0.9.95. This allowed any unauthenticated user with knowledge of a valid backup ID to invoke these functions and gain access to sensitive file path data from backups. The vulnerability was reported by researcher Revan Arifio and received a CVSS severity score of 4.3 (Medium). Sites running WPvivid versions 0.9.94 or below should update to version 0.9.95 immediately to resolve this vulnerability. The plugin authors have implemented additional capability checks in the newest version to prevent unauthorized access.

Advice for Users:

  1. Immediate Action: Update to WPvivid version 0.9.95 or higher.
  2. Check for Signs of Vulnerability: Review server access and error logs for any unexpected restore operations.
  3. Alternate Plugins: Consider similar backup plugins like UpdraftPlus as a precaution.
  4. Stay Updated: Always keep plugins updated to avoid vulnerabilities.

Conclusion:

The quick response by the WPvivid developers to implement additional security protections and release version 0.9.95 is commendable. Sites running older versions are highly encouraged to update immediately to close this unauthorized access vulnerability.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpvivid-backuprestore

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpvivid-backuprestore/wpvivid-0994-missing-authorization

Detailed Report:

With over 400,000 active users, a serious security vulnerability was recently disclosed in the popular WordPress backup plugin WPvivid. Like all software, plugins can harbor flaws that hackers actively try to exploit. That’s why keeping your WordPress site and plugins fully updated is so critical. Don’t let your site be the one compromised!

About WPvivid WPvivid is a widely used WordPress backup and restore plugin with over 6 million downloads. It allows users to easily schedule and manage backups for their WordPress sites. Developed by WPvividplugins, it currently has around 400,000 active install sites.

The Vulnerability

In versions 0.9.94 and below, WPvivid’s restore functions lacked proper authorization checks. This allowed any user with knowledge of a backup ID to access sensitive backup file path data without authentication. The issue received a severity score of 4.3 out of 10 from CVSS and could enable attackers to steal data or further infiltrate sites.

Impacts if Exploited

If exploited, this vulnerability could allow attackers to access full backup archives, exposing private site data including passwords, financial information, or personal details of your customers and team. With full backups in hand, attackers could fully replicate or tamper with your site.

Updating WPvivid

The good news is the developers have already patched the software. Sites using vulnerable versions should update to 0.9.95 immediately. The new version implements authorization checks to secure the restore functions. Be sure automatic updates are enabled if available.

Ongoing Security Requires Vigilance

While this particular crisis has passed, new threats emerge constantly. WPvivid has actually seen 15 vulnerabilities reported in just the past few years. To stay secure:

  • Maintain awareness of any plugin issues through official feeds
  • Enable automatic plugin updates if available
  • Schedule regular manual scans for outdated software
  • Consider reputable alternate backup solutions like UpdraftPlus

Security takes diligence. But we can help check software and ensure your site stays safely updated. Just ask! We know you have a business to run - so let us shoulder the site maintenance burden. The time investment pays off enormously when it prevents a disastrous breach. Let’s make sure your WordPress site stays locked up tight!

Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.

Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.

WPvivid Vulnerability – Missing Authorization – CVE-2023-4637 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment