Untrusted Input Vulnerability in WPvivid Backup & Migration Plugin for WordPress Allows Deserialization of Arbitrary PHP Objects
CVE-2024-3054
7.2HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 12 April 2024
What is CVE-2024-3054?
The WPvivid Backup & Migration Plugin for WordPress contains a vulnerability stemming from improper path validation on the tree_node[node][id] parameter. This flaw allows authenticated attackers with admin-level access to exploit the deserialization of untrusted input through a PHAR wrapper. If the attacker combines this vulnerability with a potentially present PHP Object Pollution (POP) chain from other plugins or themes, they can execute arbitrary code, delete files, or extract sensitive information from the affected system.
Affected Version(s)
WPvivid β Backup, Migration & Staging 0 <= 0.9.99
References
EPSS Score
41% chance of being exploited in the next 30 days.
CVSS V3.1
Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Maksim Kosenko