WordPress Plugin Vulnerabilities

Backup Migration < 1.4.6.1 - Unauthenticated PHP Object Injection via 'recursive_unserialize_replace'

Description

The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site in order to trigger the exploit.

Affects Plugins

Plugin icon
backup-backup
Fixed in 1.4.6.1

References

CVE
CVE-2024-10932
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d5a0c514-5200-47f4-9d2e-684d68946b9a

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
c319bdd0-dd48-4a4a-8964-7ac420c5bbdd

Timeline

Publicly Published
2025-01-03 (about 1 year ago)
Added
2025-01-03 (about 1 year ago)
Last Updated
2025-01-04 (about 1 year ago)

Other

Published
Title
Published
2025-08-06
Title
Post Grid and Gutenberg Blocks < 2.3.12 - Authenticated (Contributor+) PHP Object Injection
Published
2024-05-07
Title
Ditty – Responsive News Tickers, Sliders, and Lists < 3.1.39 - Authenticated (Contributor+) PHP Object Injection
Published
2017-04-27
Title
SiteBuilder Dynamic Components <= 1.0 - Unauthenticated PHP Object Injection
Published
2025-05-16
Title
WordPress Events Calendar Registration & Tickets <= 2.6.0 - Unauthenticated PHP Object Injection
Published
2025-04-10
Title
Everest Forms < 3.1.2 - Unauthenticated PHP Object Injection