Security researchers have identified a critical SQL injection vulnerability in the popular Migration, Backup, Staging – WPvivid plugin for WordPress. Version 0.9.68 is particularly susceptible due to insufficient escaping on the user-supplied ‘table_prefix’ parameter, coupled with inadequate preparation on the existing SQL query. This flaw allows unauthenticated attackers to append additional SQL queries, potentially leading to the extraction of sensitive information from the WordPress database.
The severity of this vulnerability is emphasized by its base score of 9.8 (CRITICAL) on the CVSS 3.1 scale, as reported by Wordfence, the organization that uncovered the issue. Attackers, without the need for authentication, can exploit the SQL injection by manipulating the ‘table_prefix’ parameter. This manipulation enables them to insert malicious queries into existing ones, potentially gaining unauthorized access to and extracting sensitive data from the WordPress database. Urgent action is required from website administrators to update the WPvivid plugin to the latest version promptly and mitigate the risk of exploitation.
For further details, administrators can refer to the provided resources, including the official changeset on the WordPress plugin repository and a detailed analysis of the vulnerabilities by HISolutions. Additionally, Wordfence has published threat intelligence on this particular vulnerability, offering insights and guidance on safeguarding WordPress sites from potential exploitation.