Updated: December 8, 2020

Vulnerability In WPvivid Can Lead To Database Leak

Oliver Sild
from patchstack

There is a missing authorization check in the WPvivid plugin that can lead to the exposure of the database and all files of the WordPress site.

The WPvivid Backup Plugin is described as “Migrate a copy of WP site to a new host (a new domain), schedule backups, send backups to leading remote storage. All in one backup&migration plugin”.

Vulnerability In WPvivid

When we looked through the code of this plugin, we noticed that there are wp_ajax actions that do not have the proper authorization check-in place and are missing nonce checks which lead to CSRF as well.

The plugin has 30,000+ active installations as of February 28th, 2020. The issue has been fixed in version 0.9.36.

The Issue in WPvivid

The most critical registered wp_ajax action that does not have an authorization check would be wp_ajax_wpvivid_add_remote.

It allows any authenticated user, regardless of their user role, to add a new remote storage location and set it as the default backup location.

This means that the next time the backup runs, it will use this backup location and upload the backup to this location.

For example, an evil person could set up an S3 Bucket at AWS and set it as a default remote location on the site. Then next time the backup runs, the entire database and/or files will be uploaded to the S3 Bucket of the evil person.

Code Analysis

In /includes/class-wpvivid.php, we see the following code:

if(is_admin())
{
   $this->define_admin_hook();
   //Add ajax hook
   $this->load_ajax_hook_for_admin();
}

is_admin() will also run on /wp-admin/admin-ajax.php, which can be called by regular users. The load_ajax_hook_for_admin function loads a bunch of wp_ajax actions.

Surprisingly, all of them except the wp_ajax_wpvivid_add_remote action have an authorization check. However, this might not matter because there is not a single nonce check in the entire plugin which causes CSRF issues in pretty much every action.

The wp_ajax_wpvivid_add_remote action is bound to the add_remote function, which determines the type of remote location, checks its validity, and then adds it to the list of remote locations.

It also checks if the default attribute is present and if so, will adjust the scheduled backup settings to change the remote location to the one that is being added.

The patch or the vulnerability in WPvivid

When we looked through the code of this plugin, we noticed that there are wp_ajax actions that do not have the proper authorization check-in place and are missing nonce checks which lead to CSRF as well.

The plugin has 30,000+ active installations as of February 28th, 2020. The issue has been fixed in version 0.9.36.

Timeline

28-02-2020 - Discovery of the vulnerability in WPvivid and release of a virtual patch to all Patchstack customers.
28-02-2020 - Reported the issue to the developer of the WPvivid plugin.
05-03-2020 - Asked for an update regarding the report.
17-03-2020 - New version released that fixes the vulnerability in WPvivid plugin.

See more about the vulnerability from the Patchstack vulnerability database.

Start your 7-day free trial and join 50,000+ other developers
Get Patchstack
Share This Article
30-DAY MONEY BACK GUARANTEE

Start your free 7-day trial and join 50,000+ other businesses

Get started now
crossmenu