CVE-2024-13869: 
WordPress vulnerability analysis and mitigation

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress contains a vulnerability (CVE-2024-13869) related to arbitrary file uploads. The vulnerability exists in versions up to and including 0.9.112, due to missing file type validation in the 'upload_files' function. The issue was discovered and disclosed on February 22, 2025 (NVD).

The vulnerability stems from the wpvividuploadfile action which calls the upload_files function in class-wpvivid-backup-uploader.php. While the function implements nonce checks and user permission verification, it fails to properly validate the types of files being uploaded to the server. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (Wordfence).

This vulnerability allows authenticated attackers with Administrator-level access or above to upload arbitrary files to the affected site's server, potentially enabling remote code execution. Notably, the uploaded files are only accessible on WordPress instances running on NGINX web servers, as the existing .htaccess within the target file upload folder prevents access on Apache servers (NVD).

A patch has been released to address this vulnerability. Site administrators are advised to update the WPvivid Backup & Migration plugin to a version newer than 0.9.112. The fix can be found in the WordPress plugin repository (WordPress Patch).