Vulnerabilities > CVE-2022-2442 - Deserialization of Untrusted Data vulnerability in Wpvivid Migration, Backup, Staging

047910
CVSS 7.2 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
HIGH
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
wpvivid
CWE-502

Summary

The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to deserialization of untrusted input via the 'path' parameter in versions up to, and including 0.9.74. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

Vulnerable Configurations

Part Description Count
Application
Wpvivid
75

Common Weakness Enumeration (CWE)