CVE-2024-3054
WPvivid Backup & Migration Plugin <= 0.9.99 - Authenticated (Admin+) PHAR Deserialization
WPvivid Backup & Migration Plugin for WordPress is vulnerable to PHAR Deserialization in all versions up to, and including, 0.9.99 via deserialization of untrusted input at the wpvividstg_get_custom_exclude_path_free action. This is due to the plugin not providing sufficient path validation on the tree_node[node][id] parameter. This makes it possible for authenticated attackers, with admin-level access and above, to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
| CWE | CWE-502 |
| Vendor | wpvividplugins |
| Product | wpvivid — backup, migration & staging |
| Published | Apr 12, 2024 |
| Last Updated | Apr 8, 2026 |
Get instant alerts for wpvividplugins wpvivid — backup, migration & staging
Be the first to know when new high vulnerabilities affecting wpvividplugins wpvivid — backup, migration & staging are published — delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H