High severity7.2NVD Advisory· Published Sep 6, 2022· Updated Apr 8, 2026
CVE-2022-2442
CVE-2022-2442
Description
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to deserialization of untrusted input via the 'path' parameter in versions up to, and including 0.9.74. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
Affected products
1- cpe:2.3:a:wpvivid:migration\,_backup\,_staging:*:*:*:*:*:wordpress:*:*Range: <=0.9.74
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging.phpnvdPatchThird Party Advisory
- plugins.trac.wordpress.org/browser/wpvivid-backuprestore/trunk/includes/staging/class-wpvivid-staging.phpnvdPatchThird Party Advisory
- plugins.trac.wordpress.org/changesetnvdPatchThird Party Advisory
- www.wordfence.com/vulnerability-advisories/nvdThird Party Advisory
- www.wordfence.com/threat-intel/vulnerabilities/id/b7e2ca2e-c495-47f8-9c18-da5ba73d9e70nvd
News mentions
0No linked articles in our index yet.