WordPress Plugin Vulnerabilities

All in One WP Migration < 7.90 - Unauthenticated PHP Object Injection

Description

The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input in the 'replace_serialized_values' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must export and restore a backup in order to trigger the exploit.

Affects Plugins

Plugin icon
all-in-one-wp-migration
Fixed in 7.90

References

CVE
CVE-2024-10942
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0823d1d9-4f3b-4ac0-8cd1-ad208ebc325f

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
6eb62386-df9b-4d6d-af0d-2cba963e8bd2

Timeline

Publicly Published
2025-03-12 (about 11 months ago)
Added
2025-03-13 (about 11 months ago)
Last Updated
2025-03-13 (about 11 months ago)

Other

Published
Title
Published
2025-01-07
Title
WC Price History for Omnibus < 2.1.5 - Authenticated (Shop manager+) PHP Object Injection
Published
2025-05-13
Title
Uncanny Automator < 6.4.0.2 - Unauthenticated PHP Object Injection in automator_api_decode_message Function
Published
2025-06-24
Title
Kriya <= 3.4 - Authenticated (Subscriber+) PHP Object Injection
Published
2023-01-02
Title
Google Analyticator < 6.5.6 - Admin+ PHP Object Injection
Published
2025-05-06
Title
PGS Core < 5.9.0 - Unauthenticated PHP Object Injection