CVE-2025-12656: WPvivid Plugin Arbitrary Directory Deletion Vulnerability
The WPvivid Backup & Migration plugin for WordPress contains a vulnerability that allows administrators to inadvertently (or maliciously) delete arbitrary directories from the server. The flaw lies in insufficient validation of file paths when canceling a staging site, meaning an authenticated admin could specify any folder path and have it removed. This is restricted to high-privilege accounts, but the impact—permanent data loss—is serious for affected organizations.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.8 LOW · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
- Weaknesses (CWE)
- CWE-73
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the delete_cancel_staging_site() function in all versions up to, and including, 0.9.128. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary folders on the server, which leads to a loss of data.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-12656 is a directory traversal and arbitrary deletion vulnerability in the WPvivid plugin's delete_cancel_staging_site() function. The vulnerability stems from insufficient sanitization and validation of user-supplied directory paths (CWE-73: External Control of File Name or Path). When an administrator initiates a staging site cancellation, the plugin fails to restrict deletion operations to intended staging directories, allowing an attacker with Administrator credentials to specify arbitrary folder paths—potentially including critical WordPress directories, database backups, or system files outside the web root if file permissions allow. The vulnerability affects all versions through 0.9.128 and requires authenticated access with Administrator-level or higher privileges.
Business impact
Organizations relying on WPvivid for backup and disaster recovery operations face risk of unintended data destruction. A compromised or malicious administrator account could weaponize this flaw to delete critical backups, staging data, or even core application files, hindering recovery operations and amplifying the damage from a primary security incident. For hosting providers and managed WordPress services, this creates liability if a customer's admin account is breached. Data loss scenarios could trigger regulatory compliance violations (GDPR, HIPAA, PCI-DSS) if customer or patient data is permanently deleted without recovery options.
Affected systems
WordPress installations using the Migration, Backup, Staging – WPvivid Backup & Migration plugin in version 0.9.128 or earlier are affected. The vulnerability requires an authenticated WordPress user with Administrator-level access or higher, making it relevant to organizations where admin credentials may be shared, compromised, or where insider threats are a concern. Self-hosted WordPress sites and managed WordPress hosting services using this plugin are all in scope.
Exploitability
Exploitation requires a high bar: the attacker must possess or obtain valid WordPress Administrator credentials. No user interaction (UI) is needed—an attacker with admin access can directly invoke the vulnerable function via the plugin's interface or REST API. The attack is deterministic; once executed, it succeeds without additional complexity. However, the attack is not remotely exploitable without prior account compromise, and the vulnerability is not reported in CISA's Known Exploited Vulnerabilities catalog, suggesting active exploitation in the wild is not yet widespread.
Remediation
Update the WPvivid Backup & Migration plugin to a version newer than 0.9.128 (verify against the vendor advisory for the exact patched version). The patch should enforce strict path validation to ensure only staging directories within the intended plugin directory structure can be deleted. Organizations unable to update immediately should restrict Administrator-level WordPress access to trusted personnel only and implement audit logging for all staging site operations.
Patch guidance
Contact WPvivid or check WordPress.org plugin repository for an available patch version. Once a patched version is released, update via WordPress Dashboard > Plugins > Updates, or download and manually install from the plugin repository. Test the update in a non-production environment first to ensure compatibility with your backup workflows. If no patch is available, consider temporarily deactivating the staging functionality or disabling the plugin until a fix is confirmed.
Detection guidance
Monitor WordPress admin audit logs for calls to the delete_cancel_staging_site() function, especially those followed by unexpected file deletion events. Check server-level logs (e.g., Apache/Nginx access logs) for POST requests to the plugin's API endpoints corresponding to staging site deletion. Review file system change logs (auditd on Linux, Windows Event Log on Windows) for unexplained deletion of directories outside the staging folder structure. An intrusion detection system (IDS) or file integrity monitoring (FIM) tool can alert on unauthorized file deletions.
Why prioritize this
Although rated CVSS 3.8 (LOW) due to the high privilege requirement, the impact severity justifies elevated attention. The vulnerability enables permanent, unrecoverable data loss if exploited, which is catastrophic for backup and recovery infrastructure. Organizations should prioritize patching based on (1) whether admin credentials are at risk, (2) whether the staging feature is actively used, and (3) whether backup data is stored in directories accessible to the plugin. High-risk scenarios warrant immediate action despite the low CVSS.
Risk score, explained
CVSS 3.1 score of 3.8 (LOW severity) reflects the requirement for authenticated Administrator-level access (PR:H), which significantly reduces real-world likelihood. Network accessibility (AV:N) and low attack complexity (AC:L) are factored in, but the privilege barrier dominates the rating. Integrity (I:L) and Availability (A:L) impacts—reflecting file deletion—are rated as 'Low' by the CVSS scale because the scope is limited to the affected system and does not cascade. However, in a backup/disaster-recovery context, 'Low' availability impact understates business criticality; risk assessments should consider organizational context.
Frequently asked questions
Does this vulnerability allow unauthenticated access?
No. The vulnerability requires valid WordPress Administrator credentials to exploit. Without admin login, the vulnerable function cannot be invoked.
What is the difference between a staging site and a live backup?
A staging site is a temporary copy of your WordPress installation used for testing updates and changes before deploying to production. This vulnerability allows deletion of staging directories; however, improper path validation could extend to other directories, potentially including backup storage if configured improperly.
If I don't use the staging feature, am I still at risk?
The vulnerability is in the staging site cancellation function. If you never create or use staging sites, the attack surface is minimal. However, it's still prudent to update once a patch is available, as future vulnerabilities in the same plugin are possible.
Can this vulnerability be exploited via a supply-chain attack or plugin update?
The vulnerability itself requires admin credentials to trigger. However, if an attacker compromises the WPvivid plugin repository or updates mechanism, they could inject code that triggers deletion attacks automatically. Always download plugins from official sources and verify checksums when possible.
This analysis is provided for informational purposes to support vulnerability risk assessment and incident response. It does not constitute professional security advice. Organizations should conduct their own risk analysis, test patches in non-production environments before deployment, and consult vendor advisories and security documentation for authoritative guidance. The stated CVSS score and affected versions reflect data current as of the publication date; verify against the official CVE database and vendor advisories for updates. No exploit code or weaponization steps are provided herein. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10558MEDIUMSourceCodester Pizzafy 1.0 File Inclusion Vulnerability – Admin RCE Risk
- CVE-2026-10559MEDIUMFile Inclusion in SourceCodester Pizzafy Ecommerce System 1.0
- CVE-2026-10694HIGHRemote File Inclusion in SourceCodester Online Food Ordering System 2.0
- CVE-2026-20175MEDIUMCisco Finesse Remote File Injection via Client-Side Request Validation Bypass
- CVE-2026-35076HIGHMBS Solutions Gateway Arbitrary File Deletion Vulnerability
- CVE-2026-35077HIGHMBS Solutions Gateway Arbitrary File Deletion Vulnerability (CVSS 8.1)
- CVE-2026-35078HIGHArbitrary File Deletion in MBS Solutions Gateway Firmware
- CVE-2026-35079HIGHMBS Solutions Gateway File Deletion Vulnerability (CVSS 8.1)