CVE-2024-1982: 
WordPress vulnerability analysis and mitigation

The Migration, Backup, Staging – WPvivid plugin for WordPress (versions up to 0.9.68) contains a critical vulnerability identified as CVE-2024-1982. The vulnerability stems from a missing capability check on the getrestoreprogress() and restore() functions, allowing unauthenticated attackers to access these functions without proper authorization (NVD, HiSolutions Research).

The vulnerability exists due to improper access control in several plugin functions that can be called without authentication, including wpajaxnoprivwpvividrestore, wpajaxnoprivwpvividgetrestoreprogress, wpajaxnoprivwpvividstgstartstagingfree, and wpajaxnoprivwpvividstggetstagingprogress_free. The vulnerability has received a CVSS v3.1 base score of 9.1 (CRITICAL) from NIST and 6.5 (MEDIUM) from Wordfence, indicating its severe nature (NVD).

The vulnerability allows attackers to perform unauthorized actions including exfiltrating the entire WordPress database and creating multiple local copies of WordPress pages that can exhaust disk space and disrupt system availability. Additionally, attackers can potentially manipulate SQL queries and access or modify database contents without authentication (HiSolutions Research).

The vulnerability has been patched in version 0.9.69 of the WPvivid Backup and Migration plugin. The fix involves disabling the vulnerable wpvividstgstartstagingfree and wpvividstggetstagingprogress_free actions. Users are strongly advised to upgrade to version 0.9.69 or higher as soon as possible (HiSolutions Research).