CVE-2024-3054 is a deserialization of untrusted data vulnerability (CWE-502) in the WPvivid Backup & Migration Plugin for WordPress, affecting all versions up to and including 0.9.99. The issue arises from insufficient path validation on the tree_node[node][id] parameter in the wpvividstg_get_custom_exclude_path_free action, allowing authenticated admin users to exploit PHAR deserialization. Although the plugin lacks a POP chain, exploitation could be escalated if a POP chain exists in other installed components, potentially leading to file deletion, sensitive data disclosure, or code execution. The CVSS 3.1 base score is 7.2 (high severity) with network attack vector, low attack complexity, high privileges required, no user interaction, and impacts on confidentiality, integrity, and availability.

An attacker with authenticated admin-level access can exploit this vulnerability to deserialize untrusted PHAR data, which may lead to arbitrary PHP object invocation. Without a POP chain in the plugin, direct exploitation is limited; however, if a POP chain exists in other installed plugins or themes, the attacker could delete arbitrary files, retrieve sensitive information, or execute arbitrary code, impacting confidentiality, integrity, and availability of the affected system.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix is indicated in the provided data, administrators should monitor the vendor's communications for updates. In the meantime, restrict admin-level access to trusted users only and review installed plugins and themes for potential POP chains that could be leveraged in conjunction with this vulnerability.