LiveActive security incident?Get immediate response
CVE Record

CVE-2020-36835: Migration, Backup, Staging – WPvivid <= 0.9.35 - Sensitive Information Disclosure

The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to sensitive information disclosure of a WordPress site's database due to missing capability checks on the wp_ajax_wpvivid_add_remote AJAX action that allows low-level authenticated attackers to send back-ups to a remote location of their choice for review. This affects versions up to, and including 0.9.35.

MediumCVSS 4.9Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

This WordPress backup plugin flaw could let an authenticated user cause a site database backup to be sent to a remote location they control. The main business risk is exposure of database contents, including sensitive site or customer data, on sites running WPvivid up to version 0.9.35.

Executive priority

Treat as a timely remediation item for affected WordPress sites, not an emergency absent exploitation evidence. Prioritize sites with customer data, member portals, e-commerce data, or many authenticated users.

Technical view

WPvivid Backup, Migration & Staging through 0.9.35 lacks proper capability checks on the wp_ajax_wpvivid_add_remote AJAX action. The cited description says an authenticated lower-level user could direct backups to attacker-controlled remote storage, creating a database confidentiality issue. CVSS is 4.9 with high confidentiality impact.

Likely exposure

Exposure is limited to WordPress sites with the WPvivid plugin installed at version 0.9.35 or earlier, especially where non-administrator authenticated accounts exist or account compromise is plausible.

Exploitation context

The source bundle does not show CISA KEV listing or cited evidence of active exploitation. Exploitation requires authenticated access per the description, but could still be serious because database backups often contain credentials, user records, and site content.

Researcher notes

The bundle identifies CWE-200 and missing authorization around a named AJAX action. There is a notable evidence mismatch: the prose says low-level authenticated attackers, while the CVSS vector records PR:H. Validate privilege assumptions against vendor and plugin change history.

Mitigation direction

  • Inventory WordPress sites using WPvivid and identify versions at or below 0.9.35.
  • Update WPvivid to a current vendor-supported release after confirming vendor guidance.
  • Restrict or remove unnecessary authenticated WordPress accounts, especially low-trust users.
  • Review configured remote backup destinations for unauthorized or unfamiliar entries.
  • Remove the plugin where backup and migration functionality is not required.

Validation and detection

  • Confirm the installed WPvivid version on each WordPress site.
  • Review WordPress user accounts and roles for unnecessary authenticated access.
  • Check backup configuration for unknown remote storage targets.
  • Review administrative and plugin logs for unexpected backup destination changes.
  • Confirm database backups are stored only in approved locations.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-200: Information exposure and cloud metadata lookup

Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Database behavior lookup

The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-36835 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
4.9 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
4Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
4.9CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N1.23.6Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

4.9Medium
CVSS 3.1 vector shape for CVE-2020-36835Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
wpvividpluginsWPvivid — Backup, Migration & Staging0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.