CVE-2025-5961: 
WordPress vulnerability analysis and mitigation

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads in versions up to and including 0.9.116. The vulnerability was discovered on July 3, 2025 and is tracked as CVE-2025-5961. The issue affects the 'wpvividuploadimport_files' function which lacks proper file type validation (NVD, CVE).

The vulnerability exists due to missing file type validation in the 'wpvividuploadimportfiles' function. The issue occurs on line 2235 where $filename is set using basename(sanitizetextfield($POST['name'])) and then used on line 2246 to write the file to the filesystem using fopen($path.$filename, 'wb') without any type checking. This allows authenticated attackers with administrator-level access to upload arbitrary files to the server. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 HIGH (Exploit, NVD).

The vulnerability allows authenticated attackers with administrator-level access to upload arbitrary files to the affected site's server, potentially enabling remote code execution. However, the impact is limited as uploaded files are only accessible on WordPress instances running on NGINX web servers, since the existing .htaccess within the target file upload folder prevents access on Apache servers (NVD).

The vulnerability has been patched in version 0.9.117 of the WPvivid Backup & Migration plugin. Users should update to this version or later to protect their installations (Patch).