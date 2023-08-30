A recently discovered security flaw in the widely used All-in-One WP Migration Extensions plugin has put millions of WordPress websites at risk of unauthorized access token manipulation. This vulnerability could potentially expose sensitive information and grant attackers access to controlled third-party accounts or the ability to restore malicious backups.

The All-in-One WP Migration plugin, which has over 60 million installations, is a popular tool for seamless website migrations. It offers premium extensions for integrating with various third-party platforms such as Box, Google Drive, OneDrive, and Dropbox.

Security researchers at PatchStack, led by Rafie Muhammad, identified the vulnerable code in the init function of the affected extensions. The flaw stems from insufficient permission and nonce validation, allowing unauthenticated users to manipulate access tokens. This vulnerability can be triggered through the WordPress admin_init hook.

To mitigate the risk, PatchStack recommends that plugin and theme developers implement permission and nonce validation on functions hooked to admin_init. This precautionary measure helps prevent unauthorized access and manipulation of sensitive information.

The plugin developer was notified of this flaw on July 18, and patched versions were released on July 26 to address the issue. Users of All-in-One WP Migration Extensions are strongly advised to update their plugins immediately to the patched versions mentioned in the security advisory.

In light of this security lapse, it is crucial for WordPress website owners to prioritize the security of their plugins and themes. Regularly updating them to the latest patched versions helps safeguard against potential vulnerabilities.

Source: PatchStack, security research team led by Rafie Muhammad