CVE-2024-10942
Published: 13 March 2025
Summary
CVE-2024-10942 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the PHP Object Injection vulnerability by requiring timely identification, reporting, and patching of the flawed All-in-One WP Migration plugin up to version 7.89.
Prevents exploitation of deserialization of untrusted input in the replace_serialized_values function by validating and sanitizing inputs before processing.
Mitigates risk by prohibiting or restricting user installation of unapproved third-party WordPress plugins like All-in-One WP Migration that introduce deserialization vulnerabilities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a deserialization flaw in a public-facing WordPress plugin that can be exploited by unauthenticated attackers to achieve RCE (via POP chain from other components), directly enabling initial access through exploitation of a public-facing application.
NVD Description
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.89 via deserialization of untrusted input in the 'replace_serialized_values' function. This makes it possible for unauthenticated attackers to…
more
inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must export and restore a backup in order to trigger the exploit.
Deeper analysisAI
CVE-2024-10942 is a PHP Object Injection vulnerability (CWE-502: Deserialization of Untrusted Data) in the All-in-One WP Migration and Backup plugin for WordPress, affecting all versions up to and including 7.89. The flaw stems from deserialization of untrusted input in the 'replace_serialized_values' function within the plugin's lib/vendor/servmask/database/class-ai1wm-database-utility.php component.
Unauthenticated attackers can exploit the vulnerability by injecting a PHP Object, but exploitation requires an administrator to export and then restore a backup, triggering the deserialization process. No known Proof-of-POP (Property-Oriented Programming) chain exists in the vulnerable software itself. However, if a POP chain is available through an additional plugin or theme on the target system, attackers could achieve arbitrary file deletion, sensitive data retrieval, or remote code execution. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating network accessibility with high complexity and user interaction required.
Patches addressing the issue are available via changeset 3253940 in the WordPress plugin trac repository. Security practitioners should refer to the Wordfence threat intelligence advisory for further details on detection and remediation, along with the source code reference at line 97 in class-ai1wm-database-utility.php for understanding the fix. Updating the plugin is the primary mitigation.
Details
- CWE(s)