CVE-2024-10962 – The WPvivid WordPress plugin is vulnerable to P... (How to Fix)

Q: What is the severity of CVE-2024-10962?

CVE-2024-10962 has a CVSS score of 8.8 (HIGH). The WPvivid WordPress plugin is vulnerable to PHP object injection via insecure deserialization in staging site functions. Unauthenticated attackers can exploit this to execute arbitrary code if a suitable POP chain exists in other installed plugins/themes. All WordPress sites using WPvivid plugin versions up to 0.9.107 are affected.

📋 TL;DR

The WPvivid WordPress plugin is vulnerable to PHP object injection via insecure deserialization in staging site functions. Unauthenticated attackers can exploit this to execute arbitrary code if a suitable POP chain exists in other installed plugins/themes. All WordPress sites using WPvivid plugin versions up to 0.9.107 are affected.

💻 Affected Systems

Products:

Migration, Backup, Staging – WPvivid WordPress plugin

Versions: All versions up to and including 0.9.107

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator to create a staging site to trigger the vulnerability. WordPress multisite installations are also affected.

📦 What is this software?

Migration\, Backup\, Staging by Wpvivid

View all CVEs affecting Migration\, Backup\, Staging →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete site compromise, data theft, and server takeover if a POP chain exists in installed components.

🟠

Likely Case

Limited impact due to no known POP chain in WPvivid itself, but potential for file deletion or data exposure if vulnerable plugins/themes are present.

🟢

If Mitigated

No impact if plugin is patched or removed, or if no vulnerable POP chain components are installed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires administrator to create staging site and presence of POP chain in other installed components. No known public exploit code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.108 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3186082/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WPvivid plugin and click 'Update Now'. 4. Verify version is 0.9.108 or higher.

🔧 Temporary Workarounds

Disable WPvivid plugin

all

Temporarily deactivate the vulnerable plugin until patched

wp plugin deactivate wpvivid-backuprestore

Remove staging functionality

all

Disable staging site creation in WPvivid settings

🧯 If You Can't Patch

Disable or remove the WPvivid plugin entirely
Implement web application firewall rules to block deserialization attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for WPvivid version

Check Version:

wp plugin get wpvivid-backuprestore --field=version

Verify Fix Applied:

Confirm WPvivid plugin version is 0.9.108 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to wp-admin/admin-ajax.php with serialized data
Unexpected staging site creation events
PHP errors related to unserialize() or object injection

Network Indicators:

HTTP requests containing serialized PHP objects in parameters
Requests to staging-related endpoints from unexpected sources

SIEM Query:

source="wordpress.log" AND ("unserialize" OR "replace_row_data" OR "replace_serialize_data")

📊 Metadata

CVE ID: CVE-2024-10962

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: November 14, 2024

Last Updated: February 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10962, you might also want to check these: