CVE-2024-1982 in WPvivid Backup and Migration Plugin
Summary
by MITRE • 02/29/2024
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the get_restore_progress() and restore() functions in all versions up to, and including, 0.9.68. This makes it possible for unauthenticated attackers to exploit a SQL injection vulnerability or trigger a DoS.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/12/2026
The WPvivid plugin presents a critical security weakness in its migration and backup functionality that stems from inadequate access control mechanisms. This vulnerability affects all plugin versions up to and including 0.9.68, creating a persistent risk for WordPress installations that utilize this tool for site management operations. The core issue manifests in two primary functions: get_restore_progress() and restore(), which fail to verify user capabilities before executing sensitive operations. This missing capability check represents a fundamental flaw in the plugin's security architecture, allowing any remote attacker to bypass authentication requirements and access critical backup restoration features.
The technical exploitation of this vulnerability occurs through the absence of proper WordPress capability checks within the affected functions. When an attacker accesses these endpoints without authentication, the plugin processes restoration requests without validating whether the requester possesses the necessary permissions. This oversight creates multiple attack vectors including SQL injection opportunities and denial of service conditions. The vulnerability aligns with CWE-285, which addresses insufficient authorization checks, and specifically demonstrates how missing capability validation can lead to unauthorized access to privileged functions. Attackers can leverage this weakness to manipulate backup restoration processes, potentially compromising entire site configurations or triggering system resource exhaustion.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass significant data integrity and availability risks. Unauthenticated attackers can exploit the SQL injection vulnerability to extract sensitive information from the database, potentially gaining access to user credentials, site configurations, or other confidential data. Additionally, the DoS capabilities allow malicious actors to disrupt legitimate backup and restoration operations, causing downtime for critical site maintenance activities. This vulnerability particularly affects WordPress environments where the WPvivid plugin is installed, as it undermines the security model that should protect sensitive restoration functions. The attack surface is broad since the plugin's restoration features are commonly used during site migrations and recovery operations, making the impact more severe in production environments.
Security mitigations for this vulnerability require immediate plugin updates to versions that implement proper capability checks. Organizations should also implement network-level restrictions to limit access to plugin endpoints and monitor for suspicious restoration activity. The remediation process should include verifying that all user interactions with restoration functions properly validate WordPress user capabilities before executing any privileged operations. This vulnerability demonstrates the importance of following secure coding practices as outlined in the OWASP Top Ten and aligns with ATT&CK technique T1213, which covers data from information repositories. Regular security audits of WordPress plugins should include capability validation checks to prevent similar issues from emerging in other components of the ecosystem.