CVE CyberSecurity Database News

CVE-2024-10957 - PHP Object Injection Vulnerability in UpdraftPlus WordPress Plugin Explained

Poster -

The safety of your WordPress site hinges on the security of the plugins you use. One popular plugin, UpdraftPlus: WP Backup & Migration Plugin, recently faced a critical vulnerability discovered under the identifier CVE-2024-10957. This long-read post takes a detailed, exclusive look at what this issue means, how an attacker might exploit it, code snippets showing the problem, and practical references for those who want to dive deeper.

What Is CVE-2024-10957?

UpdraftPlus, with millions of active installations, enables site backups and migrations. All versions up to 1.24.11 are affected by this flaw. CVE-2024-10957 is a PHP Object Injection (POI) vulnerability caused by unsafe deserialization of user-controlled input within the function recursive_unserialized_replace.

There’s no known POP chain in UpdraftPlus itself.

- If another installed plugin or theme has a POP chain (dangerous gadget), it could be abused to delete files, leak data, or execute code.

The Vulnerable Function

The root of the problem lies in the recursive_unserialized_replace function. It processes serialized input, blindly unserializing it:

function recursive_unserialized_replace($from, $to, $data, $serialized = false) {
    try {
        if (is_string($data)) {
            $unserialized = @unserialize($data);
            if ($unserialized !== false || $data === 'b:;') {
                $data = recursive_unserialized_replace($from, $to, $unserialized, true);
                return ($serialized) ? serialize($data) : $data;
            }
        } elseif (is_array($data)) {
            foreach ($data as $key => $value) {
                $data[$key] = recursive_unserialized_replace($from, $to, $value, false);
            }
        } elseif (is_object($data)) {
            foreach ($data as $property => $value) {
                $data->$property = recursive_unserialized_replace($from, $to, $value, false);
            }
        }
    } catch (Exception $e) {}

    return $data;
}

Notice the use of @unserialize($data), which attempts to unserialize whatever string is present without strict checks. Attackers can provide their own serialized PHP object, exploiting this loose approach.

1. Injection of Malicious Serialized Data

To inject a malicious object, an attacker submits their serialized string as search or replace input (for example, using WordPress admin forms or APIs exposed by UpdraftPlus).

Example of malicious serialized data

O:8:"stdClass":1:{s:4:"test";s:10:"malicious";}

If you have an installed plugin that provides a dangerous magic method (a POP chain, such as __destruct or __wakeup calling unlink()), the serialized object could trigger code execution, file deletion, or data theft when deserialized.

2. Admin Interaction Needed

Crucially, the object injection only occurs when an admin manually uses UpdraftPlus' "search and replace" functionality. If you'll never use it, that's a mitigating factor — but you can't predict all admin activity.

Attack flow

- Attacker submits search/replace string with serialized object.
- Admin performs search/replace.

Example Proof of Concept (PoC)

Here's how an attack might look in a simplified example. *(Note: This is for educational purposes, do not attempt on sites you do not own!)*

Suppose a site runs another vulnerable plugin with this sort of class

class Evil {
    public $fileToDelete = '/var/www/html/wp-config.php';
    function __destruct() {
        unlink($this->fileToDelete);
    }
}

An attacker crafts

$a = new Evil();
$a->fileToDelete = '/tmp/testfile.txt';
echo serialize($a);
// Output: O:4:"Evil":1:{s:12:"fileToDelete";s:16:"/tmp/testfile.txt";}

Step 2: Send Payload via UpdraftPlus

The attacker enters this string into a "search" or "replace" action input field.

### Step 3: Admin Performs Search/Replace

When the admin clicks the button, UpdraftPlus unserializes the data, the Evil object is instantiated, and depending on the gadget, destructive code is run!

Why Is This Dangerous?

- UpdraftPlus itself doesn't have a trigger (a "POP chain"), so on a default install, the injection isn't instantly exploitable.
- However, WordPress sites almost always run several plugins/themes. Some may include dangerous classes ("gadgets"), enabling real-world attacks.

Update UpdraftPlus.

Vulnerability fixed in version 1.24.12. Update immediately.

2. Review Other Plugins/Themes.

Restrict Access to Admin.

Only trusted users should have admin privileges. Consider tools that limit execution of search/replace actions.

Additional Reading

- WPScan Database: CVE-2024-10957
- Wordfence Advisory
- PHP Object Injection Explained
- Serialized PHP Object Attacks Basics

Conclusion

In short: While UpdraftPlus doesn't provide a complete attack chain on its own, its unsafe deserialization opens the door. If someone finds a POP chain in another plugin, your site could be at serious risk.

What you should do:

Patch UpdraftPlus right now.

- Audit your other plugins/themes.

Educate your admins about plugin safety.

Stay secure, keep your backup plugin updated, and always treat serialized data with skepticism!


*This guide is exclusive to this forum and aims to make a highly technical vulnerability accessible to WordPress site owners and developers.*

Timeline

Published on: 01/04/2025 14:15:22 UTC