Migration, Backup, Staging – WPvivid, CVE-2025-12654
- CVE, Research URL
- Application
- Published on
- Dec 21, 2025
- Research Description
- The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories.
- Affected versions
-
max 0.9.120.
- Status
-
vulnerable