CVE-2022-2442

Published: Sep 6, 2022Modified: Apr 8, 2026

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to deserialization of untrusted input via the 'path' parameter in versions up to, and including 0.9.74. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

Affected (1)

Products: Wpvivid: Migration, Backup, Staging

1 product

Migration, Backup, Staging

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wpvivid Migration, Backup, Staging	Up to 0.9.74

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (10)

https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging.php?rev=2749419#L1747

Source: security@wordfence.com

PatchThird Party Advisory

https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging.php?rev=2749419#L1783

Source: security@wordfence.com

PatchThird Party Advisory

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2766112%40wpvivid-backuprestore%2Ftrunk%2Fincludes%2Fstaging%2Fclass-wpvivid-staging.php&new=2766112%40wpvivid-backuprestore%2Ftrunk%2Fincludes%2Fstaging%2Fclass-wpvivid-staging.php

Source: security@wordfence.com

PatchThird Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/b7e2ca2e-c495-47f8-9c18-da5ba73d9e70?source=cve

Source: security@wordfence.com

https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2442

Source: security@wordfence.com

Third Party Advisory

https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging.php?rev=2749419#L1747

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging.php?rev=2749419#L1783

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2766112%40wpvivid-backuprestore%2Ftrunk%2Fincludes%2Fstaging%2Fclass-wpvivid-staging.php&new=2766112%40wpvivid-backuprestore%2Ftrunk%2Fincludes%2Fstaging%2Fclass-wpvivid-staging.php

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/b7e2ca2e-c495-47f8-9c18-da5ba73d9e70?source=cve

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.wordfence.com/vulnerability-advisories/#CVE-2022-2442

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.