CVE-2024-3054

Name of the Vulnerable Software and Affected Versions WPvivid Backup & Migration Plugin for WordPress versions up to, and including, 0.9.99

Description The issue arises from insufficient path validation on the tree node[node][id] parameter, allowing authenticated attackers with admin-level access and above to deserialize untrusted input at the "wpvividstg get custom exclude path free" action. This could enable attackers to call files using a PHAR wrapper, potentially leading to the deserialization of data and the calling of arbitrary PHP Objects. If a POP chain is present via an additional plugin or theme, it could facilitate the deletion of arbitrary files, retrieval of sensitive data, or execution of code.

Recommendations For WPvivid Backup & Migration Plugin for WordPress versions up to, and including, 0.9.99, consider disabling the wpvividstg get custom exclude path free action until a patch is available. Restrict access to the tree node[node][id] parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.