CVE-2024-13869

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/d0n601/CVE-2024-13869", "name": "https://github.com/d0n601/CVE-2024-13869", "tags": ["Third Party Advisory", "Exploit"], "refsource": ""}, {"url": "https://plugins.trac.wordpress.org/changeset/3242904/wpvivid-backuprestore", "name": "https://plugins.trac.wordpress.org/changeset/3242904/wpvivid-backuprestore", "tags": ["Patch"], "refsource": ""}, {"url": "https://ryankozak.com/posts/cve-2024-13869/", "name": "https://ryankozak.com/posts/cve-2024-13869/", "tags": ["Product", "Exploit"], "refsource": ""}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0082e46d-fdbe-4ab7-bba3-0681a25d4495?source=cve", "name": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0082e46d-fdbe-4ab7-bba3-0681a25d4495?source=cve", "tags": ["Third Party Advisory"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The Migration, Backup, Staging \u2013 WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all versions up to, and including, 0.9.112. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers."}]}, "problemtype": {"problemtype_data": [{"description": []}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2024-13869", "ASSIGNER": "cve-request@wordfence.com"}}, "impact": {}, "publishedDate": "2025-02-22T13:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:wpvivid:wpvivid_backup_\\&_migration:*:*:*:*:*:wordpress:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "0.9.113"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-03-05T21:28Z"}