CVE-2024-10942
📋 TL;DR
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP object injection via unsafe deserialization in the 'replace_serialized_values' function. This allows unauthenticated attackers to inject malicious PHP objects, which could lead to arbitrary file deletion, data theft, or remote code execution if a suitable POP chain exists from other installed plugins or themes. The vulnerability requires an administrator to export and restore a backup to trigger exploitation.
💻 Affected Systems
- All-in-One WP Migration and Backup plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete site compromise, data exfiltration, or server takeover if a suitable POP chain exists from other installed components.
Likely Case
Limited impact due to the requirement for administrator action and lack of known POP chains in the vulnerable plugin itself, though potential for data exposure or file manipulation exists.
If Mitigated
Minimal impact if the plugin is updated promptly and no vulnerable POP chains are present in the environment.
🎯 Exploit Status
Exploitation requires administrator action (export/restore backup) and depends on presence of suitable POP chains from other installed components.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 7.90 and above
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3253940/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'All-in-One WP Migration and Backup'. 4. Click 'Update Now' if available, or manually update to version 7.90+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable plugin temporarily
WordPressTemporarily deactivate the plugin until it can be updated to a secure version.
wp plugin deactivate all-in-one-wp-migration
🧯 If You Can't Patch
- Remove the plugin entirely if updating is not possible.
- Restrict administrator access to backup/restore functionality.
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin panel under Plugins > Installed Plugins. If version is 7.89 or lower, the system is vulnerable.Check Version:
wp plugin get all-in-one-wp-migration --field=versionVerify Fix Applied:
Verify plugin version is 7.90 or higher in WordPress admin panel. Check that the 'replace_serialized_values' function no longer contains unsafe deserialization.📡 Detection & Monitoring
Log Indicators:
- Unusual backup export/restore activity by administrators
- PHP warnings related to deserialization in error logs
- Unexpected file deletion or modification events
Network Indicators:
- HTTP requests to backup/restore endpoints with serialized data payloads
SIEM Query:
source="wordpress" AND (event="plugin_activation" OR event="backup_restore") AND plugin="all-in-one-wp-migration" AND version<="7.89"