Cyber Resilience

CVE-2024-10942

HighRCE

Published: 13 March 2025

Published
13 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0074 73.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10942 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-10942 is a PHP Object Injection vulnerability (CWE-502: Deserialization of Untrusted Data) in the All-in-One WP Migration and Backup plugin for WordPress, affecting all versions up to and including 7.89. The flaw stems from deserialization of untrusted input in the 'replace_serialized_values' function within the plugin's lib/vendor/servmask/database/class-ai1wm-database-utility.php component.

Unauthenticated attackers can exploit the vulnerability by injecting a PHP Object, but exploitation requires an administrator to export and then restore a backup, triggering the deserialization process. No known Proof-of-POP (Property-Oriented Programming) chain exists in the vulnerable software itself. However, if a POP chain is available through an additional plugin or theme on the target system, attackers could achieve arbitrary file deletion, sensitive data retrieval, or remote code execution. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating network accessibility with high complexity and user interaction required.

Patches addressing the issue are available via changeset 3253940 in the WordPress plugin trac repository. Security practitioners should refer to the Wordfence threat intelligence advisory for further details on detection and remediation, along with the source code reference at line 97 in class-ai1wm-database-utility.php for understanding the fix. Updating the plugin is the primary mitigation.

EU & UK References

Vulnerability details

The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.89 via deserialization of untrusted input in the 'replace_serialized_values' function. This makes it possible for unauthenticated attackers to…

more

inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must export and restore a backup in order to trigger the exploit.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a deserialization flaw in a public-facing WordPress plugin that can be exploited by unauthenticated attackers to achieve RCE (via POP chain from other components), directly enabling initial access through exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13770Shared CWE-502
CVE-2026-27303Shared CWE-502
CVE-2025-53586Shared CWE-502
CVE-2025-64353Shared CWE-502
CVE-2025-31047Shared CWE-502
CVE-2026-27096Shared CWE-502
CVE-2023-49886Shared CWE-502
CVE-2026-23542Shared CWE-502
CVE-2025-66631Shared CWE-502
CVE-2026-40044Shared CWE-502

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the PHP Object Injection vulnerability by requiring timely identification, reporting, and patching of the flawed All-in-One WP Migration plugin up to version 7.89.

prevent

Prevents exploitation of deserialization of untrusted input in the replace_serialized_values function by validating and sanitizing inputs before processing.

prevent

Mitigates risk by prohibiting or restricting user installation of unapproved third-party WordPress plugins like All-in-One WP Migration that introduce deserialization vulnerabilities.

References