CVE-2022-2442
First published: Tue Sep 06 2022(Updated: )
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to deserialization of untrusted input via the 'path' parameter in versions up to, and including 0.9.74. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WPvivid Migration, Backup, Staging | <=0.9.74 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging.php?rev=2749419#L1747
- https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging.php?rev=2749419#L1783
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2766112%40wpvivid-backuprestore%2Ftrunk%2Fincludes%2Fstaging%2Fclass-wpvivid-staging.php&new=2766112%40wpvivid-backuprestore%2Ftrunk%2Fincludes%2Fstaging%2Fclass-wpvivid-staging.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b7e2ca2e-c495-47f8-9c18-da5ba73d9e70?source=cve
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2442
Frequently Asked Questions
What is CVE-2022-2442?
CVE-2022-2442 is a vulnerability in the Migration, Backup, Staging – WPvivid plugin for WordPress that allows authenticated attackers with administrative privileges to call files using a PHAR wrapper.
What is the severity of CVE-2022-2442?
CVE-2022-2442 has a severity rating of 7.2, which is considered high.
How does CVE-2022-2442 impact the WPvivid plugin?
CVE-2022-2442 allows attackers to exploit the deserialization of untrusted input via the 'path' parameter in the WPvivid plugin.
How can an attacker exploit CVE-2022-2442?
An attacker with administrative privileges can exploit CVE-2022-2442 by calling files using a PHAR wrapper.
Is there a fix for CVE-2022-2442?
Yes, upgrading the WPvivid plugin to a version beyond 0.9.74 will fix the vulnerability.
- agent/type
- agent/softwarecombine
- agent/references
- agent/remedy
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/author
- vendor/wpvivid
- canonical/wpvivid migration, backup, staging
- version/wpvivid migration, backup, staging/0.9.74