Researchers warn of a security flaw recently addressed in the WPvivid Backup Plugin that could be exploited to obtain all files of a WordPress website.

WebARX experts warn of a missing authorization check recently addressed in the WPvivid Backup Plugin that could be exploited to obtain all files of a WordPress website.

“There is a missing authorization check in the WPvivid plugin that can lead to the exposure of the database and all files of the WordPress site.” reads the post published by WebARX.

The WPvivid Backup Plugin is a free all-in-one backup, restore and migration WordPress plugin, which has over 40,000 active installations (has 30,000+ active installations as of February 28th, 2020).

It allows users to easily migrate a copy of a WP site to a new host (a new domain), schedule backups, send backups to leading remote storage.

The analysis of the code revealed the presence of several wp_ajax actions that miss the authorization check leading to Cross-Site Request Forgery (CSRF) attacks.

The most impacted action is the ‘wp_ajax_wpvivid_add_remote’, means that users with any role could add a new storage location and use it as the default backup location.

“This means that the next time the backup runs, it will use this backup location and upload the backup to this location.” continues the analysis.

“For example, an evil person could set up a S3 Bucket at AWS and set it as a default remote location on the site. Then next time the backup runs, the entire database and/or files will be uploaded to the S3 Bucket of the evil person.”

Experts explained that once the attackers have set up a new storage location, the next time the plugin will run, it would upload the backup to it. An authenticated attacker could set the plugin to send the backup to a remote location under the control of the attacker, giving it access to any file on the website.

The CSRF vulnerability could be also exploited by remote attackers to trick an admin user to execute an unwanted admin action implemented by the plugin.

Below the timeline for this vulnerability:

28-02-2020 – Discovery of the vulnerability in WPvivid and release of a virtual patch to all WebARX customers.

28-02-2020 – Reported the issue to the developer of the WPvivid plugin.

05-03-2020 – Asked for update regarding the report.

17-03-2020 – New version released that fixes the vulnerability in WPvivid plugin.

Pierluigi Paganini