Cyber Resilience

CVE-2024-13869

HighPublic PoC

Published: 22 February 2025

Published
22 February 2025
Modified
05 March 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2187 95.9th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13869 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wpvivid Wpvivid Backup \& Migration. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads stemming from missing file type validation in the upload_files function. This affects all versions through 0.9.112 and is tracked as CWE-434. The flaw permits unauthenticated file writes on the server when the plugin processes certain upload requests.

Authenticated users holding Administrator privileges or higher can exploit the issue over the network to upload arbitrary files, which may enable remote code execution on the affected site. Exploitation is limited to WordPress instances running behind NGINX because an existing .htaccess file blocks access on Apache servers. The vulnerability carries a CVSS 3.1 score of 7.2.

Public references point to a WordPress plugin changeset that addresses the missing validation, indicating that updating to a version beyond 0.9.112 is the primary mitigation. Additional details are available in the Wordfence advisory and independent analyses that confirm the patch scope.

The EPSS score has reached a peak of 0.2344 with a current value of 0.2187, reflecting moderate and relatively stable exploitation interest since disclosure.

EU & UK References

Vulnerability details

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all versions up to, and including, 0.9.112. This makes it possible…

more

for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Authenticated (Admin+) arbitrary file upload vulnerability in WPvivid plugin enables exploitation of a public-facing WordPress application (T1190) and facilitates deployment of web shells for remote code execution (T1505.003), particularly accessible on NGINX servers.

CVEs Like This One

CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434
CVE-2025-32957Shared CWE-434

Affected Assets

wpvivid
wpvivid backup \& migration
≤ 0.9.113

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation through patching the WPvivid plugin to versions beyond 0.9.112 where file type validation is implemented.

prevent

Addresses the core issue of missing file type validation by enforcing comprehensive input validation on file uploads to block arbitrary dangerous files.

prevent

Reduces exploitability by enforcing least privilege to minimize users with Administrator access needed for the authenticated file upload attack.

References