All-in-One WP Migration, a popular data migration plugin for WordPress sites with 5 million active installations, suffers from unauthenticated access token manipulation that could allow attackers to access sensitive site information.
All-in-One WP Migration is a user-friendly WordPress site migration tool for non-technical and inexperienced users, allowing seamless exports of databases, media, plugins, and themes into a single archive that is easy to restore on a new destination.
Patchstack reports that various premium extensions the plugin’s vendor ServMask offers all contain the same snippet of vulnerable code that lacks permission and nonce validation in the init function.
This code is present in the Box extension, Google Drive extension, One Drive extension, and Dropbox extension, which were created for facilitating data migration procedures using the said third-party platforms.
The flaw, tracked as CVE-2023-40004, allows unauthenticated users to access and manipulate token configurations on the affected extensions, potentially allowing attackers to divert website migration data to their own third-party cloud service accounts or restoring malicious backups.
The primary ramification of successfully exploiting CVE-2023-40004 is a data breach that might include user details, critical website data, and proprietary information.
The security problem is somewhat mitigated by the fact that All-in-One WP Migration is only used during site migration projects and should normally not be active at any other time.
The broken access control flaw was discovered by PatchStack’s researcher Rafie Muhammad, on July 18, 2023, and reported to ServMask for fixing.
The vendor released security updates on July 26, 2023, introducing permission and nonce validation to the init function.
Users of the impacted premium third-party extensions are advised to upgrade to the following fixed versions:
- Box Extension: v1.54
- Google Drive Extension: v2.80
- OneDrive Extension: v1.67
- Dropbox Extension: v3.76
Also, users are recommended to use the latest version of the (free) base plugin, All-in-One WP Migration v7.78.
iUySMRtKeXFABrlDuwxYesqYISRN
DxPYuiWQdMurBPDFpjcsoDKec
KavqcKHcCqlSDxRmqszpj
Serenity Robinson
VVQeqebxfoJCQACfjzSfHHcC
Marvin Valenzuela
Dominic Kemp
whatis tadalafil
cheap cialis for sale
liquid tadalafil iron dragon
pharmacy rx one coupon codes
ventolin inhaler online pharmacy
where can u buy viagra
viagra online singapore
buy tadalafil online paypal
buy cialis canada
sildenafil discount price
propecia uk pharmacy
cialis vs tadalafil generic
buy cialis through pay pal
Harmoni Cuevas
buy generic cialis australia
cialis 100 mg usa
viagr
viagra online us pharmacy
Wilder Graves
buy cheap cialis online with mastercard
cialis buy
generic cialis 2018
cialis canada pharmacy no prescription required
metronidazole helminths
medicine sulfamethoxazole tmp
Gabriela Mclaughlin
Calliope Huffman
lilyani morande
Tru Glover
Kyree Pham
jefforey muravjova
kimoree matellini
Xitlali Norrmann