We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WPvivid Backup & Migration Plugin Vulnerability (CVE-2025-12656)

Nick Paliughi
On this page

Security Alert Summary

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress contains a vulnerability that allows authenticated users with Administrator-level access (and above) to delete arbitrary directories on the server. The issue is caused by insufficient file path validation in a staging-related function, and can lead to loss of data on affected sites.

CVE Details

  • CVE ID: CVE-2025-12656
  • Affected component: Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress
  • Affected versions: All versions up to, and including, 0.9.128
  • Published: June 6, 2026 at 12:16:40 AM UTC
  • Last modified: June 6, 2026 at 12:16:40 AM UTC
  • CVSS v3.1 base score: 3.8 (LOW)
  • CVSS v3.1 vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L
  • Authentication / privileges / user interaction: Requires an authenticated user with Administrator-level access or higher. (CVSS: Privileges Required = HIGH, User Interaction = NONE)
  • Primary impacts: Integrity: Low (arbitrary deletion of folders); Availability: Low (loss of files/data). Confidentiality: None per CVSS data.
  • CWE / weakness: CWE-73 (External Control of File Name or Path)

Technical Details

The vulnerability is caused by insufficient file path validation in the plugin’s staging code. Specifically, the delete_cancel_staging_site() function fails to correctly validate paths before removing directories. This allows an authenticated user with the required privileges to trigger deletion of arbitrary folders on the server via the staging cancellation code path.

The practical impact is deletion of files or directories that the plugin or site relies on (for example backups, staging copies, or site assets). The issue does not indicate a direct confidentiality impact in the provided data, but deleted files may be lost or may require recovery from external backups.

How This Could Impact Your Website

Consider a small team managing a WordPress site where the site owner, internal staff editors, and an external contractor all have accounts. If an attacker or a trusted user with Administrator-level access triggers the vulnerable staging deletion path, folders used for backups or staging copies could be removed. Practical consequences include:

  • Loss of backup or staging data that could hinder recovery after other incidents.
  • Loss of site assets or plugin-generated files, potentially causing site malfunctions until files are restored.
  • Increased operational risk and time spent on recovery, which could enable social engineering or phishing attempts that exploit the disruption.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and privileges, especially Administrator-level accounts and contributor roles.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from the site.
  • Ensure you have reliable off-site backups and test restore procedures regularly.
  • Monitor site activity and logs for unusual behavior related to staging or file operations.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Alba Board Plugin Vulnerability (CVE-2026-7523)
Next Post
Hippoo Mobile App for WooCommerce Plugin Vulnerability (CVE-2026-10580)