CVE-2024-10932

Name of the Vulnerable Software and Affected Versions Backup Migration plugin for WordPress versions up to, and including, 1.4.6

Description The issue concerns a PHP Object Injection vulnerability via deserialization of untrusted input in the recursive unserialize replace function. This allows unauthenticated attackers to inject a PHP Object, and with the presence of a POP chain, they can delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site to trigger the exploit.

Recommendations For Backup Migration plugin for WordPress versions up to, and including, 1.4.6, update to a version higher than 1.4.6 to resolve the issue. As a temporary workaround, consider disabling the recursive unserialize replace function until a patch is available. Restrict access to sensitive data and files to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.