CVE-2024-10962: Migration, Backup, Staging – WPvivid <= 0.9.107 - Unauthenticated PHP Object Injection
First published: Thu Nov 14 2024(Updated: )
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the 'replace_row_data' and 'replace_serialize_data' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site to trigger the exploit.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WPvivid Backup and Migration | <=0.9.107 | |
| WPvivid Migration, Backup, Staging | <0.9.108 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9b4eba78-29f2-4357-ab3c-7bc3c20e0e75?source=cve
- https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging-copy-db-ex.php#L1104
- https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging-copy-db-ex.php#L1120
- https://plugins.trac.wordpress.org/changeset/3186082/
Frequently Asked Questions
What is the severity of CVE-2024-10962?
CVE-2024-10962 is considered a critical vulnerability due to its potential for PHP Object Injection, which can lead to remote code execution.
How do I fix CVE-2024-10962?
To fix CVE-2024-10962, update the WPvivid Migration, Backup, Staging plugin to version 0.9.108 or later, which addresses the vulnerability.
What is PHP Object Injection as it relates to CVE-2024-10962?
PHP Object Injection in CVE-2024-10962 occurs when untrusted input is deserialized, potentially allowing an attacker to execute malicious code.
Which versions of WPvivid Migration, Backup, Staging are affected by CVE-2024-10962?
All versions of the WPvivid Migration, Backup, Staging plugin up to and including 0.9.107 are affected by CVE-2024-10962.
Can CVE-2024-10962 lead to unauthorized access?
Yes, CVE-2024-10962 can potentially allow attackers to gain unauthorized access to the WordPress site by exploiting the vulnerability.
- agent/references
- agent/title
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/type
- agent/severity
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- agent/tags
- collector/nvd-api
- source/NVD
- vendor/wpvivid
- canonical/wpvivid backup and migration
- canonical/wpvivid migration, backup, staging