All-in-One WP Migration vulnerable to unauthenticated access

published: Aug. 30, 2023

Take action: Not an urgent patch but a smart patch. Just update the WordPress plugin automatically. It takes a couple of minutes.

Learn More

A security vulnerability has been discovered in the All-in-One WP Migration plugin, a widely used data migration tool for WordPress sites with 5 million active installations.

The flaw is tracked as CVE-2023-40004 and could potentially lead to data breaches as attackers could manipulate unauthenticated access tokens to gain access to sensitive site information, potentially redirecting migration data to their own cloud service accounts or restoring malicious backups. Exploiting this flaw could result in a data breach, compromising user details, website data, and proprietary information.

The plugin's premium extensions, including Box, Google Drive, OneDrive, and Dropbox, contain the same vulnerable code lacking proper permission and nonce validation.

The security issue was fixed by ServMask, the vendor of the plugin, with the latest version of the free base plugin, All-in-One WP Migration v7.78 released on July 26, 2023.

Users of the impacted premium extensions are advised to update to the fixed versions:

  • Box Extension: v1.54
  • Google Drive Extension: v2.80
  • OneDrive Extension: v1.67
  • Dropbox Extension: v3.76

All-in-One WP Migration vulnerable to unauthenticated access
```json ```