CVE-2024-3054
CVSS 3.1 Score 7.2 of 10 (high)
Details
Summary
CVE-2024-3054 is a vulnerability affecting the WPvivid Backup & Migration Plugin for WordPress. This issue allows authenticated attackers with admin-level access to deserialize untrusted input through the wpvividstg_get_custom_exclude_path_free action. The plugin fails to validate paths on the tree_node[node][id] parameter, enabling attackers to call arbitrary PHP Objects using a PHAR wrapper. While no Pop chain is present in the vulnerable plugin, the presence of one via an additional plugin or theme could potentially lead to file deletion, data retrieval, or code execution.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.