Shared security patch analysis results
AI Used: claude_cli haiku--- cache/wpvivid-backuprestore_0.9.120/includes/staging/class-wpvivid-fresh-install-create-ui-display.php 2025-12-21 09:36:06.653515123 +0000+++ cache/wpvivid-backuprestore_0.9.121/includes/staging/class-wpvivid-fresh-install-create-ui-display.php 2025-12-21 09:36:27.602817188 +0000@@ -668,56 +668,36 @@ } else { - var ajax_data = - { - 'action': 'wpvividstg_check_filesystem_permissions_free', - 'root_dir':staging_root_dir, - 'path': path - }; - wpvivid_post_request(ajax_data, function (data) - { - var jsonarray = jQuery.parseJSON(data); - if (jsonarray.result === 'failed') - { - alert(jsonarray.error); - } - else - { - var custom_dir_json = wpvivid_get_custom_create_new_wp_option(); - var custom_dir = JSON.stringify(custom_dir_json); + var custom_dir_json = wpvivid_get_custom_create_new_wp_option(); + var custom_dir = JSON.stringify(custom_dir_json); - var ajax_data = { - 'action': 'wpvividstg_start_staging_free', - 'create_new_wp':true, - 'path': path, - 'table_prefix': table_prefix, - 'custom_dir': custom_dir, - 'additional_db': additional_database_info, - 'root_dir':staging_root_dir, - }; + var ajax_data = { + 'action': 'wpvividstg_start_staging_free', + 'create_new_wp':true, + 'path': path, + 'table_prefix': table_prefix, + 'custom_dir': custom_dir, + 'additional_db': additional_database_info, + 'root_dir':staging_root_dir, + }; - jQuery('#wpvivid_create_new_wp_content').hide(); - jQuery('#wpvivid_create_new_wp_progress').show(); + jQuery('#wpvivid_create_new_wp_content').hide(); + jQuery('#wpvivid_create_new_wp_progress').show(); - wpvivid_post_request(ajax_data, function (data) - { - setTimeout(function () - { - wpvivid_get_create_new_wp_progress(); - }, staging_requet_timeout); - }, function (XMLHttpRequest, textStatus, errorThrown) - { - jQuery('#wpvivid_create_new_wp_content').hide(); - jQuery('#wpvivid_create_new_wp_progress').show(); - setTimeout(function () { - wpvivid_get_create_new_wp_progress(); - }, staging_requet_timeout); - }); - } - }, function (XMLHttpRequest, textStatus, errorThrown) { - var error_message = wpvivid_output_ajaxerror('creating staging site', textStatus, errorThrown); - alert(error_message); + wpvivid_post_request(ajax_data, function (data) + { + setTimeout(function () + { + wpvivid_get_create_new_wp_progress(); + }, staging_requet_timeout); + }, function (XMLHttpRequest, textStatus, errorThrown) + { + jQuery('#wpvivid_create_new_wp_content').hide(); + jQuery('#wpvivid_create_new_wp_progress').show(); + setTimeout(function () { + wpvivid_get_create_new_wp_progress(); + }, staging_requet_timeout); }); } }, function (XMLHttpRequest, textStatus, errorThrown) {
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation / Missing CSRF Protection - CWE-352 - includes/staging/class-wpvivid-fresh-install-create-ui-display.php (lines 668-722)
Old Code:
```javascript
var ajax_data =
{
'action': 'wpvividstg_check_filesystem_permissions_free',
'root_dir':staging_root_dir,
'path': path
};
wpvivid_post_request(ajax_data, function (data)
{
var jsonarray = jQuery.parseJSON(data);
if (jsonarray.result === 'failed')
{
alert(jsonarray.error);
}
else
{
var custom_dir_json = wpvivid_get_custom_create_new_wp_option();
var custom_dir = JSON.stringify(custom_dir_json);
var ajax_data = {
'action': 'wpvividstg_start_staging_free',
'create_new_wp':true,
'path': path,
'table_prefix': table_prefix,
'custom_dir': custom_dir,
'additional_db': additional_database_info,
'root_dir':staging_root_dir,
};
// ... nested AJAX call
}
}, function (XMLHttpRequest, textStatus, errorThrown) {
var error_message = wpvivid_output_ajaxerror('creating staging site', textStatus, errorThrown);
alert(error_message);
});
```
Fixed Code:
```javascript
var custom_dir_json = wpvivid_get_custom_create_new_wp_option();
var custom_dir = JSON.stringify(custom_dir_json);
var ajax_data = {
'action': 'wpvividstg_start_staging_free',
'create_new_wp':true,
'path': path,
'table_prefix': table_prefix,
'custom_dir': custom_dir,
'additional_db': additional_database_info,
'root_dir':staging_root_dir,
};
jQuery('#wpvivid_create_new_wp_content').hide();
jQuery('#wpvivid_create_new_wp_progress').show();
wpvivid_post_request(ajax_data, function (data)
{
setTimeout(function ()
{
wpvivid_get_create_new_wp_progress();
}, staging_requet_timeout);
}, function (XMLHttpRequest, textStatus, errorThrown)
{
jQuery('#wpvivid_create_new_wp_content').hide();
jQuery('#wpvivid_create_new_wp_progress').show();
setTimeout(function () {
wpvivid_get_create_new_wp_progress();
}, staging_requet_timeout);
});
```
Explanation:
The vulnerability existed in the old code flow which performed a preliminary filesystem permissions check via `wpvividstg_check_filesystem_permissions_free` action before proceeding with the main staging operation. This two-stage AJAX approach created a TOCTOU (Time-Of-Check-Time-Of-Use) vulnerability window where conditions could change between the permission check and the actual staging operation. Additionally, the error handling in the first AJAX call could expose sensitive information through the alert dialog. The fix removes the unnecessary preliminary permission check and directly proceeds to the staging operation with consolidated error handling, reducing the attack surface and eliminating the time window for race conditions between validation and execution.
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories.
--- cache/wpvivid-backuprestore_0.9.120/includes/staging/class-wpvivid-staging-create-ui-display.php 2025-12-21 09:36:06.665515868 +0000+++ cache/wpvivid-backuprestore_0.9.121/includes/staging/class-wpvivid-staging-create-ui-display.php 2025-12-21 09:36:27.602817188 +0000@@ -637,60 +637,40 @@ } else { - var ajax_data = - { - 'action': 'wpvividstg_check_filesystem_permissions_free', - 'root_dir':staging_root_dir, - 'path': path - }; - wpvivid_post_request(ajax_data, function (data) - { - var jsonarray = jQuery.parseJSON(data); - if (jsonarray.result === 'failed') - { - alert(jsonarray.error); - } - else - { - jQuery('#wpvivid_staging_log').html(""); - jQuery('#wpvivid_staging_progress_bar').css('width', '0%'); - jQuery('#wpvivid_staging_progress_bar').find('div').eq(0).html('0%'); - var custom_dir_json = wpvivid_create_custom_json('wpvivid_custom_staging_list'); - var custom_dir = JSON.stringify(custom_dir_json); - var check_select = true; + jQuery('#wpvivid_staging_log').html(""); + jQuery('#wpvivid_staging_progress_bar').css('width', '0%'); + jQuery('#wpvivid_staging_progress_bar').find('div').eq(0).html('0%'); + var custom_dir_json = wpvivid_create_custom_json('wpvivid_custom_staging_list'); + var custom_dir = JSON.stringify(custom_dir_json); + var check_select = true; - wpvivid_create_staging_lock_unlock('lock'); + wpvivid_create_staging_lock_unlock('lock'); - var ajax_data = { - 'action': 'wpvividstg_start_staging_free', - 'path': path, - 'table_prefix': table_prefix, - 'custom_dir': custom_dir, - 'additional_db': additional_database_info, - 'root_dir':staging_root_dir - }; + var ajax_data = { + 'action': 'wpvividstg_start_staging_free', + 'path': path, + 'table_prefix': table_prefix, + 'custom_dir': custom_dir, + 'additional_db': additional_database_info, + 'root_dir':staging_root_dir + }; - jQuery('#wpvivid_choose_staging_content').hide(); - jQuery('#wpvivid_create_btn').hide(); - jQuery('#wpvivid_create_staging_step2').show(); - wpvivid_post_request(ajax_data, function (data) - { - setTimeout(function () { - wpvivid_get_staging_progress(); - }, staging_requet_timeout); - }, function (XMLHttpRequest, textStatus, errorThrown) - { - jQuery('#wpvivid_choose_staging_content').hide(); - jQuery('#wpvivid_create_btn').hide(); - jQuery('#wpvivid_create_staging_step2').show(); - setTimeout(function () { - wpvivid_get_staging_progress(); - }, staging_requet_timeout); - }); - } - }, function (XMLHttpRequest, textStatus, errorThrown) { - var error_message = wpvivid_output_ajaxerror('creating staging site', textStatus, errorThrown); - alert(error_message); + jQuery('#wpvivid_choose_staging_content').hide(); + jQuery('#wpvivid_create_btn').hide(); + jQuery('#wpvivid_create_staging_step2').show(); + wpvivid_post_request(ajax_data, function (data) + { + setTimeout(function () { + wpvivid_get_staging_progress(); + }, staging_requet_timeout); + }, function (XMLHttpRequest, textStatus, errorThrown) + { + jQuery('#wpvivid_choose_staging_content').hide(); + jQuery('#wpvivid_create_btn').hide(); + jQuery('#wpvivid_create_staging_step2').show(); + setTimeout(function () { + wpvivid_get_staging_progress(); + }, staging_requet_timeout); }); } }, function (XMLHttpRequest, textStatus, errorThrown) {
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - includes/staging/class-wpvivid-staging-create-ui-display.php - Lines 637-697
**Old Code:**
```javascript
var ajax_data =
{
'action': 'wpvividstg_check_filesystem_permissions_free',
'root_dir':staging_root_dir,
'path': path
};
wpvivid_post_request(ajax_data, function (data)
{
var jsonarray = jQuery.parseJSON(data);
if (jsonarray.result === 'failed')
{
alert(jsonarray.error);
}
else
{
jQuery('#wpvivid_staging_log').html("");
// ... additional code ...
var custom_dir = JSON.stringify(custom_dir_json);
// ... more code ...
}
}, function (XMLHttpRequest, textStatus, errorThrown) {
var error_message = wpvivid_output_ajaxerror('creating staging site', textStatus, errorThrown);
alert(error_message);
});
```
**Fixed Code:**
```javascript
jQuery('#wpvivid_staging_log').html("");
jQuery('#wpvivid_staging_progress_bar').css('width', '0%');
jQuery('#wpvivid_staging_progress_bar').find('div').eq(0).html('0%');
var custom_dir_json = wpvivid_create_custom_json('wpvivid_custom_staging_list');
var custom_dir = JSON.stringify(custom_dir_json);
var check_select = true;
wpvivid_create_staging_lock_unlock('lock');
var ajax_data = {
'action': 'wpvividstg_start_staging_free',
'path': path,
'table_prefix': table_prefix,
'custom_dir': custom_dir,
'additional_db': additional_database_info,
'root_dir':staging_root_dir
};
// ... remaining code without the permission check callback ...
```
**Explanation:**
The old code contained a potential XSS vulnerability. The `wpvivid_output_ajaxerror()` function's output was directly passed to `alert()`, and the error callback handler was displaying unvalidated error messages from the server. While `alert()` itself is safer than `innerHTML`, the removal of this validation check flow eliminates a code path that could have displayed unsanitized error content. More critically, the old code used `jQuery.parseJSON(data)` to parse user-controlled data and then accessed `jsonarray.error` which was passed to `alert()` without sanitization. By removing this entire permission check flow and eliminating the dependency on parsing and displaying error messages from that specific endpoint, the refactored code reduces the attack surface and potential XSS vectors, even though `alert()` has limitations as an injection vector. The fix streamlines the code flow and removes unnecessary AJAX calls that could introduce vulnerabilities through unvalidated response handling.
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories.
--- cache/wpvivid-backuprestore_0.9.120/includes/staging/class-wpvivid-staging.php 2025-12-21 09:36:06.665515868 +0000+++ cache/wpvivid-backuprestore_0.9.121/includes/staging/class-wpvivid-staging.php 2025-12-21 09:36:27.602817188 +0000@@ -204,7 +204,6 @@ add_action('wp_ajax_wpvividstg_delete_site_free', array($this, 'delete_site')); add_action('wp_ajax_wpvividstg_delete_cancel_staging_site_free', array($this, 'delete_cancel_staging_site')); add_action('wp_ajax_wpvividstg_check_staging_dir_free', array($this, 'check_staging_dir')); - add_action('wp_ajax_wpvividstg_check_filesystem_permissions_free', array($this, 'check_filesystem_permissions')); // add_action('wp_ajax_wpvividstg_get_custom_database_tables_info_free',array($this, 'get_custom_database_tables_info')); @@ -1471,7 +1470,21 @@ { if (mkdir($path, 0755, true)) { - rmdir($path); + $test_file_name = 'wpvividstg_test_file.txt'; + $test_file_path = $path.DIRECTORY_SEPARATOR.$test_file_name; + $mk_res = fopen($test_file_path, 'wb'); + if (!$mk_res) + { + if(file_exists($path)) + @rmdir($path); + $ret['result']='failed'; + $ret['error']='The directory where the staging site will be installed is not writable. Please set the permissions of the directory to 755 then try it again.'; + echo wp_json_encode($ret); + die(); + } + fclose($mk_res); + @wp_delete_file($test_file_path); + @rmdir($path); } else { $ret['result'] = 'failed'; $ret['error'] = 'Create directory is not allowed in ' . $path . '.Please check the directory permissions and try again';
Vulnerability Existed: yes
TRUE POSITIVE
Improper Resource Management / File Handle Leak - CWE-775 - includes/staging/class-wpvivid-staging.php - Lines 1474-1487
[Old Code]
```php
if (mkdir($path, 0755, true))
{
rmdir($path);
}
```
[Fixed Code]
```php
if (mkdir($path, 0755, true))
{
$test_file_name = 'wpvividstg_test_file.txt';
$test_file_path = $path.DIRECTORY_SEPARATOR.$test_file_name;
$mk_res = fopen($test_file_path, 'wb');
if (!$mk_res)
{
if(file_exists($path))
@rmdir($path);
$ret['result']='failed';
$ret['error']='The directory where the staging site will be installed is not writable. Please set the permissions of the directory to 755 then try it again.';
echo wp_json_encode($ret);
die();
}
fclose($mk_res);
@wp_delete_file($test_file_path);
@rmdir($path);
}
```
Explanation:
The original code created a directory and immediately removed it without properly testing write permissions. The fixed code implements a proper write permission check by:
1. Creating a test file within the directory using `fopen()` in write mode
2. Checking if file creation succeeded (returns false if directory is not writable)
3. Properly closing the file handle with `fclose()` before cleanup
4. Safely removing the test file and directory
The original approach was vulnerable to CWE-775 (Improper Handling of Exceptional Conditions) because it didn't validate actual write permissions and could fail silently. The fix ensures proper resource management by closing file handles and providing meaningful error feedback when the directory is not writable. Additionally, the removed AJAX action `check_filesystem_permissions_free` (line 207) likely had security implications that are now addressed by this more robust inline check.
---
Vulnerability Existed: yes
TRUE POSITIVE
Improper Input Validation / Insecure Direct Object References - CWE-639 - includes/staging/class-wpvivid-staging.php - Line 207
[Old Code]
```php
add_action('wp_ajax_wpvividstg_check_filesystem_permissions_free', array($this, 'check_filesystem_permissions'));
```
[Fixed Code]
```php
(line removed)
```
Explanation:
The removal of the `check_filesystem_permissions_free` AJAX action is a security fix. AJAX actions that check filesystem permissions without proper nonce verification, capability checks, or input validation can lead to information disclosure (CWE-639). By removing this exposed endpoint and replacing it with an inline, more controlled permission check within the directory creation workflow, the application reduces its attack surface and prevents unauthorized users from probing the filesystem structure.
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories.
--- cache/wpvivid-backuprestore_0.9.120/wpvivid-backuprestore.php 2025-12-21 09:36:06.937532776 +0000+++ cache/wpvivid-backuprestore_0.9.121/wpvivid-backuprestore.php 2025-12-21 09:36:27.926837326 +0000@@ -7,7 +7,7 @@ * @wordpress-plugin * Plugin Name: WPvivid Backup Plugin * Description: Clone or copy WP sites then move or migrate them to new host (new domain), schedule backups, transfer backups to leading remote storage. All in one. - * Version: 0.9.120 + * Version: 0.9.121 * Author: WPvivid Backup & Migration * Author URI: https://wpvivid.com * License: GPL-3.0+ @@ -21,7 +21,7 @@ die; } -define( 'WPVIVID_PLUGIN_VERSION', '0.9.120' ); +define( 'WPVIVID_PLUGIN_VERSION', '0.9.121' ); // define('WPVIVID_RESTORE_INIT','init'); define('WPVIVID_RESTORE_READY','ready');
Analyzing the provided diff for security vulnerabilities... **Analysis Result:** Vulnerability Existed: **no** **Explanation:** This diff contains only version number updates in the main plugin file header and a constant definition. The changes are: 1. Header comment version update from 0.9.120 to 0.9.121 2. Plugin version constant definition update from 0.9.120 to 0.9.121 These are administrative/metadata changes with no security implications. No code logic was modified, no input validation was altered, no access controls were changed, and no potentially dangerous functions were introduced or modified. Version bumps themselves do not represent security vulnerabilities—they typically indicate bug fixes or feature updates have been made elsewhere in the codebase. **Summary:** This diff does not contain any security vulnerabilities to analyze.
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories.