Security readout for executives and security teams
Plain-English summary
This WordPress backup plugin flaw could let an authenticated user cause a site database backup to be sent to a remote location they control. The main business risk is exposure of database contents, including sensitive site or customer data, on sites running WPvivid up to version 0.9.35.
Executive priority
Treat as a timely remediation item for affected WordPress sites, not an emergency absent exploitation evidence. Prioritize sites with customer data, member portals, e-commerce data, or many authenticated users.
Technical view
WPvivid Backup, Migration & Staging through 0.9.35 lacks proper capability checks on the wp_ajax_wpvivid_add_remote AJAX action. The cited description says an authenticated lower-level user could direct backups to attacker-controlled remote storage, creating a database confidentiality issue. CVSS is 4.9 with high confidentiality impact.
Likely exposure
Exposure is limited to WordPress sites with the WPvivid plugin installed at version 0.9.35 or earlier, especially where non-administrator authenticated accounts exist or account compromise is plausible.
Exploitation context
The source bundle does not show CISA KEV listing or cited evidence of active exploitation. Exploitation requires authenticated access per the description, but could still be serious because database backups often contain credentials, user records, and site content.
Researcher notes
The bundle identifies CWE-200 and missing authorization around a named AJAX action. There is a notable evidence mismatch: the prose says low-level authenticated attackers, while the CVSS vector records PR:H. Validate privilege assumptions against vendor and plugin change history.
Mitigation direction
- Inventory WordPress sites using WPvivid and identify versions at or below 0.9.35.
- Update WPvivid to a current vendor-supported release after confirming vendor guidance.
- Restrict or remove unnecessary authenticated WordPress accounts, especially low-trust users.
- Review configured remote backup destinations for unauthorized or unfamiliar entries.
- Remove the plugin where backup and migration functionality is not required.
Validation and detection
- Confirm the installed WPvivid version on each WordPress site.
- Review WordPress user accounts and roles for unnecessary authenticated access.
- Check backup configuration for unknown remote storage targets.
- Review administrative and plugin logs for unexpected backup destination changes.
- Confirm database backups are stored only in approved locations.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-200: Information exposure and cloud metadata lookup
Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupDatabase behavior lookup
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2020-36835 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 4.9 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N1.23.6Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
4.9MediumVector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Source materials
- CVE List V5 sourceCVE List V5
- https://www.wordfence.com/threat-intel/vulnerabilities/id/90c3f8bc-fc41-4ba7-b9f2-8873203d5794?source=cveCVE reference
- https://www.webarxsecurity.com/vulnerability-in-wpvivid-backup-plugin-can-lead-to-database-leak/?fbclid=IwAR3Ve74ZIvmx-aC0OssIWYwcWEjGq6yU16DcyVGHD1XUT3uYaZ3QyVu_Eos&utm_content=buffer4435b&utm_medium=social&utm_source=facebook.com&utm_campaign=bufferCVE reference
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2261665%40wpvivid-backuprestore%2Ftrunk&old=2252870%40wpvivid-backuprestore%2Ftrunk&sfp_email=&sfph_mail=CVE reference
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
