CVE-2022-2442

Name of the Vulnerable Software and Affected Versions Migration, Backup, Staging – WPvivid plugin for WordPress versions up to, and including 0.9.74

Description The issue allows deserialization of untrusted input via the path parameter. This enables authenticated attackers with administrative privileges to call files using a PHAR wrapper, which can deserialize and call arbitrary PHP Objects. These objects can be used to perform malicious actions if a POP chain is also present. The attack requires the attacker to successfully upload a file with the serialized payload.

Recommendations For versions up to, and including 0.9.74, update to a version higher than 0.9.74 to resolve the issue. As a temporary workaround, consider restricting access to the path parameter to minimize the risk of exploitation. Additionally, restrict the ability to upload files with serialized payloads to prevent malicious actions.