WordPress Plugin Vulnerabilities

WPvivid Backup & Migration Plugin < 0.9.100 - Admin+ PHAR Deserialization

Description

The plugin is vulnerable to PHAR Deserialization in all versions up to, and including, 0.9.99 via deserialization of untrusted input at the wpvividstg_get_custom_exclude_path_free action. This is due to the plugin not providing sufficient path validation on the tree_node[node][id] parameter. This makes it possible for authenticated attackers, with admin-level access and above, to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Plugin icon
wpvivid-backuprestore
Fixed in 0.9.100

References

CVE
CVE-2024-3054
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/bf26fc68-9fd4-4e4e-b34f-c947d95891f9

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Maksim Kosenko
Verified
No
WPVDB ID
132dec1f-836a-4236-84f0-c49090223865

Timeline

Publicly Published
2024-04-11 (about 2 years ago)
Added
2024-04-12 (about 2 years ago)
Last Updated
2024-04-12 (about 2 years ago)

Other

Published
Title
Published
2025-09-05
Title
eDS Responsive Menu <= 1.2 - Authenticated (Administrator+) PHP Object Injection
Published
2025-11-02
Title
Maps < 4.8.7 - Authenticated (Administrator+) PHP Object Injection
Published
2026-02-09
Title
Themesflat Elementor <= 1.0.1 - Unauthenticated PHP Object Injection
Published
2025-05-20
Title
Glossary by WPPedia <= 1.3.0 - Authenticated (Administrator+) PHP Object Injection
Published
2024-04-10
Title
WordPress Geo Controller < 8.6.5 - PHP Object Injection