All-in-One WP Migration vulnerable to unauthenticated access
Take action: Not an urgent patch but a smart patch. Just update the WordPress plugin automatically. It takes a couple of minutes.
A security vulnerability has been discovered in the All-in-One WP Migration plugin, a widely used data migration tool for WordPress sites with 5 million active installations.
The flaw is tracked as CVE-2023-40004 and could potentially lead to data breaches as attackers could manipulate unauthenticated access tokens to gain access to sensitive site information, potentially redirecting migration data to their own cloud service accounts or restoring malicious backups. Exploiting this flaw could result in a data breach, compromising user details, website data, and proprietary information.
The plugin's premium extensions, including Box, Google Drive, OneDrive, and Dropbox, contain the same vulnerable code lacking proper permission and nonce validation.
The security issue was fixed by ServMask, the vendor of the plugin, with the latest version of the free base plugin, All-in-One WP Migration v7.78 released on July 26, 2023.
Users of the impacted premium extensions are advised to update to the fixed versions:
|Joomla CMS releases patches for several XSS vulnerabilities
|Vulnerable Popup Builder Wordpress plugin attacked by malware
|Kadence Blocks plugin for WordPress patches critical Vulnerability
|phpFox Social Platform fixes critical remote code execution …
|Joomla! CMS releases patch for environment variable exposure …