CVE-2022-2863

WPvivid Backup < 0.9.76 - Admin+ Arbitrary File Read

EPSS 17.7%CWE-22

Vexday Risk Score

23Low

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS —EPSS 17.7%KEV nãoPoC —Nuclei simMetasploit —Patch —

Lifecycle

16 Sep 2022Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

The Migration, Backup, Staging WordPress plugin before 0.9.76 does not sanitise and validate a parameter before using it to read the content of a file, allowing high privilege users to read any file from the web server via a Traversal attack

Affected products

Unknown · Migration, Backup, Staging – WPvivid

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://packetstormsecurity.com/files/168616/WordPress-WPvivid-Backup-Path-Traversal.html http://seclists.org/fulldisclosure/2022/Oct/0 https://wpscan.com/vulnerability/cb6a3304-2166-47a0-a011-4dcacaa133e5