CVE-2024-10932: CWE-502 Deserialization of Untrusted Data in inisev BackupBliss – Backup & Migration with Free Cloud Storage
The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site in order to trigger the exploit.
AI Analysis
Technical Summary
CVE-2024-10932 is a PHP Object Injection vulnerability in the BackupBliss WordPress plugin (versions up to 1.4.6) caused by unsafe deserialization of untrusted input in the 'recursive_unserialize_replace' function. An unauthenticated attacker can inject malicious PHP objects, leveraging a POP chain to achieve arbitrary file deletion, data disclosure, or code execution. Exploitation requires an administrator to create a staging site, which triggers the vulnerable code path. The CVSS v3.1 base score is 8.8, reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed, and high impact on confidentiality, integrity, and availability.
Potential Impact
The vulnerability allows unauthenticated attackers to inject PHP objects via deserialization, potentially leading to deletion of arbitrary files, exposure of sensitive information, or remote code execution. However, exploitation requires an administrator to perform an action (creating a staging site), which limits the attacker's capabilities to some extent. The high CVSS score indicates significant potential impact on system confidentiality, integrity, and availability if exploited.
Mitigation Recommendations
No official patch or fix information is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, administrators should avoid creating staging sites using the vulnerable plugin version and consider disabling or removing the plugin if possible. Monitor vendor channels for updates and apply patches promptly once available.
CVE-2024-10932: CWE-502 Deserialization of Untrusted Data in inisev BackupBliss – Backup & Migration with Free Cloud Storage
Description
The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site in order to trigger the exploit.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-10932 is a PHP Object Injection vulnerability in the BackupBliss WordPress plugin (versions up to 1.4.6) caused by unsafe deserialization of untrusted input in the 'recursive_unserialize_replace' function. An unauthenticated attacker can inject malicious PHP objects, leveraging a POP chain to achieve arbitrary file deletion, data disclosure, or code execution. Exploitation requires an administrator to create a staging site, which triggers the vulnerable code path. The CVSS v3.1 base score is 8.8, reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed, and high impact on confidentiality, integrity, and availability.
Potential Impact
The vulnerability allows unauthenticated attackers to inject PHP objects via deserialization, potentially leading to deletion of arbitrary files, exposure of sensitive information, or remote code execution. However, exploitation requires an administrator to perform an action (creating a staging site), which limits the attacker's capabilities to some extent. The high CVSS score indicates significant potential impact on system confidentiality, integrity, and availability if exploited.
Mitigation Recommendations
No official patch or fix information is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, administrators should avoid creating staging sites using the vulnerable plugin version and consider disabling or removing the plugin if possible. Monitor vendor channels for updates and apply patches promptly once available.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-11-06T17:21:23.499Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e03b7ef31ef0b593909
Added to database: 2/25/2026, 9:47:47 PM
Last enriched: 4/9/2026, 5:54:01 AM
Last updated: 4/12/2026, 5:31:28 PM
Views: 27
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.