CVE-2024-3054 – The WPvivid Backup & Migration WordPress plugin... (How to Fix)

Q: What is the severity of CVE-2024-3054?

CVE-2024-3054 has a CVSS score of 7.2 (HIGH). The WPvivid Backup & Migration WordPress plugin is vulnerable to PHAR deserialization, allowing authenticated attackers with admin access to potentially execute arbitrary PHP objects. This could lead to file deletion, data theft, or remote code execution if other vulnerable plugins/themes are present. Only WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

The WPvivid Backup & Migration WordPress plugin is vulnerable to PHAR deserialization, allowing authenticated attackers with admin access to potentially execute arbitrary PHP objects. This could lead to file deletion, data theft, or remote code execution if other vulnerable plugins/themes are present. Only WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

WPvivid Backup & Migration Plugin for WordPress

Versions: All versions up to and including 0.9.99

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with vulnerable plugin version and attacker with admin-level access

📦 What is this software?

Migration\, Backup\, Staging by Wpvivid

View all CVEs affecting Migration\, Backup\, Staging →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if a POP chain exists in other installed components

🟠

Likely Case

Arbitrary file deletion or sensitive data exposure through deserialization attacks

🟢

If Mitigated

Limited impact due to admin-only access requirement and lack of POP chain in the plugin itself

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires admin credentials and potentially additional vulnerable plugins/themes for full impact

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 0.9.99

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3067224%40wpvivid-backuprestore&new=3067224%40wpvivid-backuprestore

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find WPvivid Backup & Migration
4. Click 'Update Now' if available
5. Alternatively, download latest version from WordPress repository and manually update

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the WPvivid Backup & Migration plugin until patched

wp plugin deactivate wpvivid-backuprestore

Restrict admin access

all

Implement strict access controls and monitoring for admin accounts

🧯 If You Can't Patch

Remove the WPvivid Backup & Migration plugin completely
Implement web application firewall rules to block requests to wpvividstg_get_custom_exclude_path_free action

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → WPvivid Backup & Migration version number

Check Version:

wp plugin get wpvivid-backuprestore --field=version

Verify Fix Applied:

Verify plugin version is greater than 0.9.99

📡 Detection & Monitoring

Log Indicators:

POST requests to wp-admin/admin-ajax.php with action=wpvividstg_get_custom_exclude_path_free
Unusual file operations or PHP errors related to deserialization

Network Indicators:

HTTP requests containing PHAR:// wrappers in parameters
Admin-level authentication followed by suspicious plugin-specific requests

SIEM Query:

source="web_logs" AND uri="*/admin-ajax.php" AND params="*wpvividstg_get_custom_exclude_path_free*"

📊 Metadata

CVE ID: CVE-2024-3054

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: April 12, 2024

Last Updated: February 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3054, you might also want to check these: