CVE-2022-2442: 
WordPress vulnerability analysis and mitigation

The Migration, Backup, Staging – WPvivid plugin for WordPress (versions <= 0.9.74) contains a PHAR deserialization vulnerability identified as CVE-2022-2442. The vulnerability was discovered by Rasoul Jahanshahi and publicly disclosed on August 10, 2022. This security issue affects the plugin's handling of the 'path' parameter, which could allow high-privilege users to perform unauthorized PHAR deserialization operations (WPScan, Wordfence).

The vulnerability stems from improper validation of the 'path' parameter in the plugin, which could lead to PHAR deserialization when a suitable gadget chain is present. The issue has been assigned a CVSS score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as an Object Injection issue (CWE-502) and falls under the OWASP Top 10 category A8: Insecure Deserialization (WPScan).

When exploited, this vulnerability could allow authenticated users with high privileges (such as administrators) to perform PHAR deserialization attacks, potentially leading to unauthorized code execution within the context of the WordPress installation (Wordfence).

The vulnerability has been patched in version 0.9.75 of the WPvivid plugin. Site administrators are strongly advised to update to this version or later to protect against potential exploitation (WPScan).