HomeVulnerabilityWordPress migration add-on flaw might result in data breaches

WordPress migration add-on flaw might result in data breaches

All-in-One WP Migration, a preferred knowledge migration plugin for WordPress websites with 5 million lively installations, suffers from unauthenticated entry token manipulation that might permit attackers to entry delicate website data.

All-in-One WP Migration is a user-friendly WordPress website migration software for non-technical and inexperienced customers, permitting seamless exports of databases, media, plugins, and themes right into a single archive that’s straightforward to revive on a brand new vacation spot.

Patchstack experiences that numerous premium extensions the plugin’s vendor ServMask affords all comprise the identical snippet of weak code that lacks permission and nonce validation within the init perform.

This code is current within the Field extension, Google Drive extension, One Drive extension, and Dropbox extension, which have been created for facilitating knowledge migration procedures utilizing the mentioned third-party platforms.

The flaw, tracked as CVE-2023-40004, permits unauthenticated customers to entry and manipulate token configurations on the affected extensions, doubtlessly permitting attackers to divert web site migration knowledge to their very own third-party cloud service accounts or restoring malicious backups.

See also  Microsoft fixes vital Azure CLI flaw that leaked credentials in logs

The first ramification of efficiently exploiting CVE-2023-40004 is a data breach which may embrace person particulars, important web site knowledge, and proprietary data. 

The security drawback is considerably mitigated by the truth that All-in-One WP Migration is barely used throughout website migration initiatives and may usually not be lively at some other time.

The damaged entry management flaw was found by PatchStack’s researcher Rafie Muhammad, on July 18, 2023, and reported to ServMask for fixing.

The seller launched security updates on July 26, 2023, introducing permission and nonce validation to the init perform.

Applied patch
Utilized patch (Patchstack)

Customers of the impacted premium third-party extensions are suggested to improve to the next mounted variations:

  • Field Extension: v1.54
  • Google Drive Extension: v2.80
  • OneDrive Extension: v1.67
  • Dropbox Extension: v3.76

Additionally, customers are advisable to make use of the most recent model of the (free) base plugin, All-in-One WP Migration v7.78.

- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular