CVE-2022-2442 HIGH

CVE-2022-2442: Migration, Backup, Staging – WPvivid <= 0.9.74 - Authenticated (Admin+) PHAR Deserialization

Vendor Wpvividplugins
Product WPvivid — Backup, Migration & Staging
Weakness CWE-502 · Unsafe deserialization
Published September 6, 2022
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

7.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to deserialization of untrusted input via the 'path' parameter in versions up to, and including 0.9.74. This makes it possible for authenticated attackers with administrative privileges to call files using a PHAR wrapper that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

Key dates

02Disclosure timeline

September 6, 2022 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-31129 jooby-pac4j: deserialization of untrusted data CVE-2024-22399 Apache Seata: Remote Code Execution vulnerability via Hessian Deserialization in Apache Seata Server CVE-2025-8145 Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated PHP Object Injection CVE-2025-7696 Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.3 - Unauthenticated PHP Object Injection via verify_field_val Function CVE-2023-52182 WordPress ARI Stream Quiz Plugin <= 1.3.0 is vulnerable to PHP Object Injection