CVE-2024-10942
Published: 13 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-10942 is a PHP Object Injection vulnerability (CWE-502: Deserialization of Untrusted Data) in the All-in-One WP Migration and Backup plugin for WordPress, affecting all versions up to and including 7.89. The flaw stems from deserialization of untrusted input in the 'replace_serialized_values' function within the plugin's lib/vendor/servmask/database/class-ai1wm-database-utility.php component.
Unauthenticated attackers can exploit the vulnerability by injecting a PHP Object, but exploitation requires an administrator to export and then restore a backup, triggering the deserialization process. No known Proof-of-POP (Property-Oriented Programming) chain exists in the vulnerable software itself. However, if a POP chain is available through an additional plugin or theme on the target system, attackers could achieve arbitrary file deletion, sensitive data retrieval, or remote code execution. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating network accessibility with high complexity and user interaction required.
Patches addressing the issue are available via changeset 3253940 in the WordPress plugin trac repository. Security practitioners should refer to the Wordfence threat intelligence advisory for further details on detection and remediation, along with the source code reference at line 97 in class-ai1wm-database-utility.php for understanding the fix. Updating the plugin is the primary mitigation.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a deserialization flaw in a public-facing WordPress plugin that can be exploited by unauthenticated attackers to achieve RCE (via POP chain from other components), directly enabling initial access through exploitation of a public-facing application.