CVE-2024-10962: 
WordPress vulnerability analysis and mitigation

The Migration, Backup, Staging – WPvivid plugin for WordPress was identified with a PHP Object Injection vulnerability (CVE-2024-10962) affecting all versions up to and including 0.9.107. The vulnerability was disclosed on November 14, 2024, and involves the deserialization of untrusted input in the 'replacerowdata' and 'replaceserializedata' functions (NVD).

The vulnerability stems from improper handling of deserialization of untrusted data (CWE-502) in two specific functions: 'replacerowdata' and 'replaceserializedata'. The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a serious security risk that requires user interaction to exploit (NVD).

While no known POP (Property-Oriented Programming) chain is present in the vulnerable software itself, if a POP chain exists via additional plugins or themes installed on the target system, the vulnerability could enable attackers to delete arbitrary files, retrieve sensitive data, or execute malicious code. The impact is particularly significant as it affects unauthenticated attackers, though an administrator must create a staging site to trigger the exploit (NVD).

The vulnerability has been patched in version 0.9.108 and later. Users are strongly advised to update their WPvivid plugin to the latest version to mitigate this security risk (Wordfence Blog).