WordPress Plugin Vulnerabilities

WPvivid Backup < 0.9.75 - Admin+ PHAR Deserialization

Description

The plugin does not validate the path parameter, which could allow high privilege users such as admin to perform PHAR deserialisation when a suitable gadget chain is also present

Affects Plugins

Plugin icon
wpvivid-backuprestore
Fixed in 0.9.75

References

CVE
CVE-2022-2442

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
4.7 (medium)

Miscellaneous

Original Researcher
Rasoul Jahanshahi
Verified
No
WPVDB ID
dfca6d67-5015-45a8-b292-3a34b8a83b63

Timeline

Publicly Published
2022-08-17 (about 3 years ago)
Added
2022-08-18 (about 3 years ago)
Last Updated
2023-05-10 (about 2 years ago)

Other

Published
Title
Published
2025-07-16
Title
JetFormBuilder < 3.5.2 - Authenticated (Administrator+) PHP Object Injection
Published
2025-01-21
Title
Save as PDF Plugin by Pdfcrowd < 4.4.1 - Unauthenticated PHP Object Injection
Published
2025-08-23
Title
PDF for Contact Form 7 < 6.5.1 - Authenticated (Subscriber+) PHP Object Injection
Published
2024-04-10
Title
WordPress Geo Controller < 8.6.5 - PHP Object Injection
Published
2024-10-28
Title
DS.DownloadList <= 1.3 - Unauthenticated PHP Object Injection