CVE-2024-56273
Published: 07 January 2025
Summary
CVE-2024-56273 is a medium-severity Missing Authorization (CWE-862) vulnerability in Wpvivid Migration\, Backup\, Staging. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-56273 is a missing authorization vulnerability, classified under CWE-862, in the WPvivid Backup and Migration WordPress plugin (wpvivid-backuprestore). The issue allows accessing functionality not properly constrained by access control lists (ACLs). It affects all versions of the plugin from its initial release through 0.9.106.
The vulnerability carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N). Exploitation requires low privileges (PR:L) and can be performed over the network with low attack complexity and no user interaction. A successful attack results in low-impact integrity violations, enabling unauthorized access to restricted plugin functionality.
The Patchstack advisory provides further details on this broken access control vulnerability in WPvivid Backup and Migration version 0.9.106: https://patchstack.com/database/Wordpress/Plugin/wpvivid-backuprestore/vulnerability/wordpress-wpvivid-backup-plugin-0-9-106-broken-access-control-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53070
Vulnerability details
Missing Authorization vulnerability in wpvividplugins WPvivid Backup and Migration wpvivid-backuprestore allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPvivid Backup and Migration: from n/a through <= 0.9.106.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) in public-facing WordPress plugin directly enables exploitation of an internet-facing application to access restricted functionality.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly addressing the missing ACL constraints that allow low-privileged users to access restricted WPvivid plugin functionality.
Employs least privilege to restrict low-privileged users from accessing sensitive backup and migration features exploited due to inadequate authorization.
Requires timely identification, reporting, and remediation of flaws like this missing authorization vulnerability through plugin patching.