CVE-2024-10962

Name of the Vulnerable Software and Affected Versions Migration, Backup, Staging – WPvivid plugin for WordPress versions up to, and including, 0.9.107

Description The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input in the replace row data and replace serialize data functions. This allows unauthenticated attackers to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site to trigger the exploit.

Recommendations For versions up to, and including, 0.9.107, update to a version that fixes the PHP Object Injection vulnerability to prevent potential cyber security issues. As a temporary workaround, consider restricting access to the replace row data and replace serialize data functions until a patch is available.