All-in-One WP Migration, a well-liked knowledge migration plugin for WordPress websites with 5 million lively installations, suffers from unauthenticated entry token manipulation that would permit attackers to entry delicate website data.
All-in-One WP Migration is a user-friendly WordPress website migration instrument for non-technical and inexperienced customers, permitting seamless exports of databases, media, plugins, and themes right into a single archive that’s straightforward to revive on a brand new vacation spot.
Patchstack studies that numerous premium extensions the plugin’s vendor ServMask provides all include the identical snippet of susceptible code that lacks permission and nonce validation within the init perform.
This code is current within the Field extension, Google Drive extension, One Drive extension, and Dropbox extension, which had been created for facilitating knowledge migration procedures utilizing the mentioned third-party platforms.
The flaw, tracked as CVE-2023-40004, permits unauthenticated customers to entry and manipulate token configurations on the affected extensions, doubtlessly permitting attackers to divert web site migration knowledge to their very own third-party cloud service accounts or restoring malicious backups.
The first ramification of efficiently exploiting CVE-2023-40004 is a knowledge breach which may embrace consumer particulars, vital web site knowledge, and proprietary data.
The safety drawback is considerably mitigated by the truth that All-in-One WP Migration is just used throughout website migration initiatives and may usually not be lively at every other time.
The damaged entry management flaw was found by PatchStack’s researcher Rafie Muhammad, on July 18, 2023, and reported to ServMask for fixing.
The seller launched safety updates on July 26, 2023, introducing permission and nonce validation to the init perform.
Customers of the impacted premium third-party extensions are suggested to improve to the next mounted variations:
- Field Extension: v1.54
- Google Drive Extension: v2.80
- OneDrive Extension: v1.67
- Dropbox Extension: v3.76
Additionally, customers are beneficial to make use of the newest model of the (free) base plugin, All-in-One WP Migration v7.78.
