CVE-2024-56068: 
WordPress vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability was discovered in Azzaroco WP SuperBackup, affecting versions through 2.3.3. The vulnerability was publicly disclosed on December 18, 2024, and was assigned CVE-2024-56068. This security flaw affects the WordPress plugin WP SuperBackup, which is used for backup and migration purposes (Patchstack, Wordfence Intel).

The vulnerability is classified as a PHP Object Injection issue, requiring Subscriber or higher privileges to exploit. It has received varying CVSS scores from different sources: Patchstack assigned it a CVSS v3.1 score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, while other assessments rated it at 8.8. The vulnerability is tracked under CWE-502 (Deserialization of Untrusted Data) (Patchstack, NVD).

The PHP Object Injection vulnerability could potentially allow malicious actors to execute code injection, SQL injection, path traversal, or denial of service attacks if a proper POP chain is present. The specific impact varies case by case, but the vulnerability is considered highly dangerous and expected to become mass exploited (Patchstack).

The vulnerability has been patched in version 2.4 of the WP SuperBackup plugin. Users are strongly advised to update to version 2.4 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).