CVE-2024-10962

EUVD-2024-33366

14.11.2024, 14:15

The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the 'replace_row_data' and 'replace_serialize_data' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site to trigger the exploit.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 90%

Affected Products (NVD)

Vendor	Product	Version
wpvivid	migration\,_backup\,_staging	𝑥 < 0.9.108

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
wpvividplugins	migration_backup_staging_wpvivd_backup_and_migration	𝑥 ≤ 0.9.107	ADP

Common Weakness Enumeration

CWE-502 - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging-copy-db-ex.php#L1104

https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging-copy-db-ex.php#L1120

https://plugins.trac.wordpress.org/changeset/3186082/

https://www.wordfence.com/threat-intel/vulnerabilities/id/9b4eba78-29f2-4357-ab3c-7bc3c20e0e75?source=cve