CVE-2024-10942 Overview
CVE-2024-10942 is a PHP Object Injection vulnerability affecting the All-in-One WP Migration and Backup plugin for WordPress. The flaw exists in all versions up to and including 7.89, within the replace_serialized_values function. The function deserializes untrusted input, allowing unauthenticated attackers to inject arbitrary PHP objects into the application. Exploitation requires an administrator to export and restore a backup, which classifies this as a user-interaction vulnerability. While no Property-Oriented Programming (POP) chain exists in the plugin itself, a chain provided by another installed plugin or theme could enable arbitrary file deletion, sensitive data retrieval, or code execution. The vulnerability is tracked under [CWE-502: Deserialization of Untrusted Data].
Critical Impact
Unauthenticated attackers can inject PHP objects that, when combined with an external POP chain, may lead to arbitrary file deletion, data exfiltration, or remote code execution.
Affected Products
- All-in-One WP Migration and Backup plugin for WordPress
- All plugin versions up to and including 7.89
- WordPress sites where administrators import backup archives produced by an attacker
Discovery Timeline
- 2025-03-13 - CVE-2024-10942 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-10942
Vulnerability Analysis
The vulnerability resides in the replace_serialized_values function located in lib/vendor/servmask/database/class-ai1wm-database-utility.php. During backup restoration, the plugin processes serialized values from the backup archive and passes them to PHP's unserialize() routine without sufficient validation. Attacker-controlled serialized data is treated as trusted, enabling instantiation of arbitrary PHP objects within the application context. Although the plugin codebase does not ship a usable POP chain, WordPress sites frequently load dozens of plugins and themes that introduce exploitable magic methods such as __destruct, __wakeup, or __toString. When such gadgets exist, an injected object can chain into operations that delete files, read sensitive configuration, or invoke arbitrary code paths.
Root Cause
The root cause is unsafe deserialization of attacker-controlled data inside the backup restoration workflow. The function does not enforce an allow-list of permitted classes and does not validate the integrity or origin of serialized payloads before invoking PHP object instantiation.
Attack Vector
An attacker crafts a malicious backup archive containing serialized PHP objects designed to trigger gadget chains present in third-party plugins or themes. The attacker delivers this archive to a target site administrator through social engineering or by hosting it on an attacker-controlled domain. When the administrator imports the backup using All-in-One WP Migration, the plugin deserializes the embedded payload and instantiates the attacker's objects. The required administrator interaction increases attack complexity but does not require attacker authentication to the target system. Technical details are available in the WordPress Plugin Code Review and the Wordfence Vulnerability Analysis.
Detection Methods for CVE-2024-10942
Indicators of Compromise
- Presence of All-in-One WP Migration plugin version 7.89 or earlier on WordPress installations
- Unexpected .wpress backup files appearing in wp-content/ai1wm-backups/ from unknown sources
- Web server logs showing POST requests to admin-ajax.php with action=ai1wm_import from unfamiliar administrator sessions
- File deletions, configuration reads, or process executions originating from the PHP-FPM or web server worker immediately after a backup restoration event
Detection Strategies
- Inspect imported .wpress archives for serialized PHP objects containing class names not native to WordPress core or the plugin (e.g., references to O: followed by unexpected class identifiers)
- Monitor the replace_serialized_values execution path with PHP error logging or runtime application self-protection (RASP) tooling to flag deserialization of non-stdClass objects
- Correlate backup import events with subsequent anomalous file system writes, deletions, or outbound network connections
Monitoring Recommendations
- Forward WordPress, PHP, and web server logs to a centralized SIEM and alert on ai1wm_import actions outside change windows
- Track the EPSS probability of 0.738% and re-evaluate exposure as exploitation likelihood shifts
- Enable file integrity monitoring on wp-content/, wp-config.php, and active plugin directories to detect post-exploitation tampering
How to Mitigate CVE-2024-10942
Immediate Actions Required
- Upgrade All-in-One WP Migration and Backup to a version newer than 7.89 immediately
- Restrict backup import operations to vetted administrators and require multi-factor authentication on all administrator accounts
- Audit installed plugins and themes for known POP chain gadgets and remove any unused or unmaintained extensions
Patch Information
The vendor addressed the vulnerability via the changeset published at WordPress Changeset 3253940. Site operators must update through the WordPress plugin updater or by replacing the plugin directory with a patched release. Verify the installed version after patching to confirm remediation.
Workarounds
- Disable or remove the All-in-One WP Migration plugin until the patched version is deployed
- Block uploads of .wpress archives at the web application firewall (WAF) layer when imports are not actively required
- Refuse to import backup archives received from any third party and only restore from archives generated by trusted internal sources
# Configuration example - WordPress CLI upgrade and verification
wp plugin update all-in-one-wp-migration
wp plugin get all-in-one-wp-migration --field=version
# Optionally deactivate until patched
wp plugin deactivate all-in-one-wp-migration
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
