CVE-2024-10942

Name of the Vulnerable Software and Affected Versions: All-in-One WP Migration and Backup plugin for WordPress versions up to, and including, 7.89

Description: The issue allows unauthenticated attackers to inject a PHP Object via deserialization of untrusted input in the replace serialized values function. If a POP chain is present, possibly through an additional plugin or theme, it could enable the attacker to delete arbitrary files, retrieve sensitive data, or execute code. The exploit can be triggered by an administrator exporting and restoring a backup.

Recommendations: For versions up to, and including, 7.89, update to a version that fixes the PHP Object Injection issue to prevent exploitation. As a temporary workaround, consider restricting access to the replace serialized values function until a patch is available.