PatchSiren cyber security CVE debrief
CVE-2025-12656 wpvividplugins CVE debrief
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the delete_cancel_staging_site() function in all versions up to, and including, 0.9.128. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary folders on the server, which leads to a loss of data.
- Vendor
- wpvividplugins
- Product
- WPvivid — Backup, Migration & Staging
- CVSS
- LOW 3.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-06
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-06
- Advisory updated
- 2026-06-08
Who should care
Administrators of WordPress sites using the Migration, Backup, Staging – WPvivid Backup & Migration plugin, especially those with Administrator-level access and above.
Technical summary
The vulnerability exists in the delete_cancel_staging_site() function within the Migration, Backup, Staging – WPvivid Backup & Migration plugin. Insufficient file path validation allows authenticated attackers with Administrator-level access to delete arbitrary directories on the server.
Defensive priority
low
Recommended defensive actions
- Update the Migration, Backup, Staging – WPvivid Backup & Migration plugin to a version beyond 0.9.128.
- Restrict Administrator-level access to only trusted users.
- Regularly backup critical data to prevent loss.
Evidence notes
CVE-2025-12656 has a CVSS score of 3.8 and is considered LOW severity. The vulnerability was published on 2026-06-06T00:16:40.077Z and modified on 2026-06-08T14:57:14.757Z.
Official resources
CVE-2025-12656 was published on 2026-06-06T00:16:40.077Z and modified on 2026-06-08T14:57:14.757Z.