CVE-2024-13869
Published: 22 February 2025
Summary
CVE-2024-13869 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wpvivid Wpvivid Backup \& Migration. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through patching the WPvivid plugin to versions beyond 0.9.112 where file type validation is implemented.
Addresses the core issue of missing file type validation by enforcing comprehensive input validation on file uploads to block arbitrary dangerous files.
Reduces exploitability by enforcing least privilege to minimize users with Administrator access needed for the authenticated file upload attack.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated (Admin+) arbitrary file upload vulnerability in WPvivid plugin enables exploitation of a public-facing WordPress application (T1190) and facilitates deployment of web shells for remote code execution (T1505.003), particularly accessible on NGINX servers.
NVD Description
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all versions up to, and including, 0.9.112. This makes it possible…
more
for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers.
Deeper analysisAI
CVE-2024-13869 is an arbitrary file upload vulnerability in the Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress, affecting all versions up to and including 0.9.112. The issue stems from missing file type validation in the 'upload_files' function, which allows authenticated attackers to upload arbitrary files to the affected site's server. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).
Authenticated attackers with Administrator-level access or higher can exploit this vulnerability over the network with low complexity. Successful exploitation enables uploading arbitrary files, which may lead to remote code execution on the server. However, uploaded files are only accessible on WordPress instances running NGINX web servers, as an existing .htaccess file in the target upload folder blocks access on Apache servers.
Advisories and references, including the plugin's changeset at https://plugins.trac.wordpress.org/changeset/3242904/wpvivid-backuprestore, indicate a patch has been applied. Additional details on mitigation are available from Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/0082e46d-fdbe-4ab7-bba3-0681a25d4495?source=cve, a GitHub repository at https://github.com/d0n601/CVE-2024-13869, and analysis at https://ryankozak.com/posts/cve-2024-13869/. Security practitioners should update to a version beyond 0.9.112 and review server configuration for NGINX deployments.
Details
- CWE(s)