CVE-2024-13869

CVE-2024-13869 is an arbitrary file upload vulnerability in the Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress, affecting all versions up to and including 0.9.112. The issue stems from missing file type validation in the 'upload_files' function, which allows authenticated attackers to upload arbitrary files to the affected site's server. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

Authenticated attackers with Administrator-level access or higher can exploit this vulnerability over the network with low complexity. Successful exploitation enables uploading arbitrary files, which may lead to remote code execution on the server. However, uploaded files are only accessible on WordPress instances running NGINX web servers, as an existing .htaccess file in the target upload folder blocks access on Apache servers.

Advisories and references, including the plugin's changeset at https://plugins.trac.wordpress.org/changeset/3242904/wpvivid-backuprestore, indicate a patch has been applied. Additional details on mitigation are available from Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/0082e46d-fdbe-4ab7-bba3-0681a25d4495?source=cve, a GitHub repository at https://github.com/d0n601/CVE-2024-13869, and analysis at https://ryankozak.com/posts/cve-2024-13869/. Security practitioners should update to a version beyond 0.9.112 and review server configuration for NGINX deployments.