Backup Migration WordPress Plugin PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the Backup Migration plugin for WordPress, affecting all versions up to and including 1.4.6. The issue arises from the deserialization of untrusted input in the 'recursive_unserialize_replace' function, allowing unauthenticated attackers to inject a PHP object. Exploitation is possible if an administrator creates a staging site, as the vulnerability requires this condition to be met.

Impact

Exploitation of this vulnerability could lead to arbitrary file deletion, unauthorized access to sensitive data, or execution of malicious code on the server.

Reproduction

To reproduce this vulnerability, an administrator must first create a staging site. Once the staging site is active, the vulnerability can be triggered by sending a request that includes serialized data designed to exploit the 'recursive_unserialize_replace' function in the Backup Migration plugin. The deserialization process will allow for the injection of a PHP object, which can then be used to execute arbitrary actions, such as deleting files or executing code.