Untrusted Input Vulnerability in WPvivid Backup & Migration Plugin for WordPress Allows Deserialization of Arbitrary PHP Objects
CVE-2024-3054

7.2HIGH

What is CVE-2024-3054?

The WPvivid Backup & Migration Plugin for WordPress contains a vulnerability stemming from improper path validation on the tree_node[node][id] parameter. This flaw allows authenticated attackers with admin-level access to exploit the deserialization of untrusted input through a PHAR wrapper. If the attacker combines this vulnerability with a potentially present PHP Object Pollution (POP) chain from other plugins or themes, they can execute arbitrary code, delete files, or extract sensitive information from the affected system.

Affected Version(s)

WPvivid β€” Backup, Migration & Staging 0 <= 0.9.99

References

EPSS Score

41% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Maksim Kosenko
.