CVE-2024-10932
📋 TL;DR
The Backup Migration plugin for WordPress is vulnerable to PHP object injection via insecure deserialization, allowing unauthenticated attackers to execute arbitrary code, delete files, or steal data. All versions up to 1.4.6 are affected. Exploitation requires an administrator to create a staging site.
💻 Affected Systems
- Backup Migration WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via remote code execution, leading to data theft, ransomware deployment, or website defacement.
Likely Case
Arbitrary file deletion causing website disruption or sensitive data exfiltration from the database.
If Mitigated
Limited impact if proper web application firewalls and file integrity monitoring are in place.
🎯 Exploit Status
Exploitation requires administrator action (creating staging site) but then allows unauthenticated attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.6.1
Vendor Advisory: https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.4.6.1/includes/database/search-replace.php#L46
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Backup Migration plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.4.6.1 from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable plugin
allTemporarily disable the Backup Migration plugin until patched.
Restrict staging site creation
allLimit administrator permissions to prevent staging site creation.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block deserialization attacks.
- Enable file integrity monitoring to detect unauthorized file deletions.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Backup Migration > Version number.Check Version:
wp plugin list --name=backup-backup --field=versionVerify Fix Applied:
Confirm plugin version is 1.4.6.1 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual PHP errors related to unserialize()
- Unexpected file deletion events in web logs
- Suspicious POST requests to search-replace.php
Network Indicators:
- HTTP requests containing serialized PHP objects in parameters
SIEM Query:
source="web_logs" AND ("unserialize" OR "search-replace.php") AND status>=400🔗 References
- https://plugins.trac.wordpress.org/browser//backup-backup/tags/1.4.6/includes/database/search-replace.php#L46
- https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.4.6.1/includes/database/search-replace.php#L46
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d5a0c514-5200-47f4-9d2e-684d68946b9a?source=cve
