A vulnerability in a number of extensions for the All-in-One WP Migration plugin probably exposes WordPress web sites to assaults resulting in delicate data disclosure.
With greater than 5 million installations and maintained by ServMask, All-in-One WP Migration is a extremely in style plugin for shifting web sites that additionally offers a number of premium extensions for migrating to third-party platforms.
On Wednesday, WordPress security agency Patchstack shared particulars on a vulnerability impacting All-in-One WP Migration’s Field, Google Drive, OneDrive, and Dropbox extensions that would enable attackers to entry delicate data.
Tracked as CVE-2023-40004 and described as an unauthenticated entry token manipulation challenge, the bug might enable an unauthenticated attacker to tamper with the entry token configuration of the affected extension.
“This entry token manipulation might lead to a possible delicate data disclosure of migration to the attacker’s managed third-party account or restore a malicious backup,” Patchstack says.
The flaw was recognized within the init operate of the affected extensions, which is “hooked to the WordPress’s admin_init hook”, which in flip might be triggered by an attacker, with out authentication.
“Since there isn’t any permission and nonce validation on the init operate, an unauthenticated person is ready to modify or delete the entry token used on every of the affected extensions,” Patchstack explains.
On July 18, the WordPress security agency reported the vulnerability to ServMask, which patched the bug in all impacted extensions by “including permission and nonce validation on the init operate”.
Customers are suggested to replace to All-in-One WP Migration’s Field extension model 1.54, Google Drive extension model 2.80, OneDrive extension model 1.67, and Dropbox extension model 3.76, which had been launched on the finish of July.
