WPvivid Backup & Migration Plugin Vulnerability – Authenticated (Admin+) PHAR Deserialization – CVE-2024-3054 | WordPress Plugin Vulnerability Report
Plugin Name: WPvivid Backup & Migration Plugin
Key Information:
- Software Type: Plugin
- Software Slug: wpvivid-backuprestore
- Software Status: Active
- Software Author: wpvividplugins
- Software Downloads: 7,313,881
- Active Installs: 400,000
- Last Updated: April 25, 2024
- Patched Versions: 0.9.100
- Affected Versions: <= 0.9.99
Vulnerability Details:
- Name: WPvivid Backup & Migration Plugin <= 0.9.99
- Title: Authenticated (Admin+) PHAR Deserialization
- Type: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- CVE: CVE-2024-3054
- CVSS Score: 7.2
- Publicly Published: April 11, 2024
- Researcher: Maksim Kosenko
- Description: The WPvivid Backup & Migration Plugin for WordPress exhibits a critical vulnerability in PHAR deserialization that affects all versions up to and including 0.9.99. This flaw stems from insufficient path validation on the
tree_node[node][id]parameter, allowing authenticated users with admin privileges to execute arbitrary PHP Objects through a PHAR wrapper. This vulnerability could potentially lead to file deletion, data theft, or arbitrary code execution if an exploitable PHP Object Injection (POP) chain exists on the site via another plugin or theme.
Summary:
The WPvivid Backup & Migration Plugin for WordPress has a significant security vulnerability in versions up to and including 0.9.99 that permits high-level authenticated users to execute potentially harmful actions through PHAR deserialization. This serious issue has been addressed in the recently released patch, version 0.9.100.
Detailed Overview:
Identified by security researcher Maksim Kosenko, this vulnerability involves exploiting the plugin's deserialization process which does not adequately verify paths before deserializing objects. The specific risk involves the deserialization of untrusted data, which can lead to unauthorized actions such as deleting files, extracting sensitive data, or executing malicious code, especially dangerous if the site has other vulnerable components that provide a usable POP chain. The prompt release of the patched version 0.9.100 aims to mitigate these risks by correcting the path validation failure.
Advice for Users:
- Immediate Action: Users are strongly encouraged to update to the patched version 0.9.100 immediately to eliminate this vulnerability from their WordPress environments.
- Check for Signs of Vulnerability: Site administrators should examine their logs and files for any unusual activity that might suggest exploitation of this vulnerability.
- Alternate Plugins: While the latest patch addresses the current issue, users may wish to evaluate other backup and migration plugins that have a robust security track record as a precaution.
- Stay Updated: Maintaining the latest versions of all plugins and themes is critical in protecting against known vulnerabilities and enhancing site security.
Conclusion:
The swift response from WPvivid's developers in patching this critical vulnerability highlights the necessity of regular software updates as a cornerstone of effective cybersecurity strategy. Users are advised to install version 0.9.100 or later of the WPvivid Backup & Migration Plugin to secure their WordPress installations against this and potentially other exploits.
References:
Detailed Report:
In the digital world, the security of your website hinges not just on the strength of your passwords and the robustness of your hosting service, but equally on the software that powers your site. The recent discovery of a severe vulnerability in the WPvivid Backup & Migration Plugin—a tool relied upon by over 400,000 WordPress sites for critical backup and migration tasks—serves as a stark reminder of this reality. This vulnerability, known as Authenticated PHAR Deserialization (CVE-2024-3054), affects versions up to and including 0.9.99 and exposes websites to serious risks, including arbitrary code execution, data theft, and unauthorized file deletions.
Detailed Overview:
Identified by security researcher Maksim Kosenko, this vulnerability involves exploiting the plugin's deserialization process which does not adequately verify paths before deserializing objects. The specific risk involves the deserialization of untrusted data, which can lead to unauthorized actions such as deleting files, extracting sensitive data, or executing malicious code, especially dangerous if the site has other vulnerable components that provide a usable PHP Object Injection (POP) chain. The prompt release of the patched version 0.9.100 aims to mitigate these risks by correcting the path validation failure.
Previous Vulnerabilities:
Since March 13, 2020, there have been 18 previous vulnerabilities reported for the WPvivid Backup & Migration Plugin, highlighting the ongoing challenges and importance of regular security updates.
Conclusion:
The swift response from WPvivid's developers in patching this critical vulnerability highlights the necessity of regular software updates as a cornerstone of effective cybersecurity strategy. Small business owners, particularly those managing their WordPress installations, must prioritize regular updates to safeguard their digital assets. By staying vigilant and responsive to updates, you protect not just your data but also your reputation and operational continuity.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.
