There is a missing authorization check in the WPvivid plugin that can lead to the exposure of the database and all files of the WordPress site.

The WPvivid Backup Plugin is described as “Migrate a copy of WP site to a new host (a new domain), schedule backups, send backups to leading remote storage. All in one backup&migration plugin”.

When we looked through the code of this plugin, we noticed that there are wp_ajax actions that do not have the proper authorization check-in place and are missing nonce checks which lead to CSRF as well.

The plugin has 30,000+ active installations as of February 28th, 2020. The issue has been fixed in version 0.9.36.

The Issue

The most critical registered wp_ajax action that does not have an authorization check would be wp_ajax_wpvivid_add_remote.

It allows any authenticated user, regardless of their user role, to add a new remote storage location and set it as the default backup location.

This means that the next time the backup runs, it will use this backup location and upload the backup to this location.

For example, an evil person could set up a S3 Bucket at AWS and set it as a default remote location on the site. Then next time the backup runs, the entire database and/or files will be uploaded to the S3 Bucket of the evil person.

Code Analysis

In /includes/class-wpvivid.php, we see the following code:

if(is_admin()) { $this->define_admin_hook(); //Add ajax hook $this->load_ajax_hook_for_admin(); }

is_admin() will also run on /wp-admin/admin-ajax.php, which can be called by regular users. The load_ajax_hook_for_admin function loads a bunch of wp_ajax actions.

Surprisingly, all of them except the wp_ajax_wpvivid_add_remote action have an authorization check. However, this might not matter because there is not a single nonce check in the entire plugin which causes CSRF issues in pretty much every action.

The wp_ajax_wpvivid_add_remote action is bound to the add_remote function, which determines the type of remote location, checks its validity and then adds it to the list of remote locations.

It also checks if the default attribute is present and if so, will adjust the scheduled backup settings to change the remote location to the one that is being added.

The Patch

The changes can be found here where we can see that a call to ajax_check_security has been added to multiple places. This function checks the validity of the nonce token and checks the user role.

Timeline

28-02-2020 – Discovery of the vulnerability in WPvivid and release of a virtual patch to all WebARX customers.

28-02-2020 – Reported the issue to the developer of the WPvivid plugin.

05-03-2020 – Asked for update regarding the report.

17-03-2020 – New version released that fixes the vulnerability in WPvivid plugin.