A popular data migration plugin for WordPress, All-in-One WP Migration, has been found to have a vulnerability that could potentially allow attackers to access sensitive information on affected sites. The plugin, which has over 5 million active installations, is designed to make site migration easy for non-technical users.

The vulnerability, tracked as CVE-2023-40004, stems from a lack of permission and nonce validation in the init function of various premium extensions offered by the plugin’s vendor, ServMask. These extensions include Box, Google Drive, OneDrive, and Dropbox, which are commonly used for data migration.

Exploiting the vulnerability could allow unauthenticated users to manipulate token configurations, potentially diverting website migration data to their own third-party cloud service accounts or restoring malicious backups. This could lead to a significant data breach, exposing user details, critical website data, and proprietary information.

Fortunately, the risk posed by the vulnerability is somewhat mitigated by the fact that the All-in-One WP Migration plugin is typically only active during site migration projects and not during regular use.

The vulnerability was discovered by Rafie Muhammad, a researcher at PatchStack, on July 18, 2023. ServMask was promptly alerted, and security updates addressing the flaw were released on July 26, 2023. The updates introduce permission and nonce validation to the init function, effectively patching the vulnerability.

Users of the affected premium extensions are strongly advised to upgrade to the fixed versions: Box Extension v1.54, Google Drive Extension v2.80, OneDrive Extension v1.67, and Dropbox Extension v3.76. Additionally, all users are recommended to ensure they are using the latest version of the base plugin, All-in-One WP Migration v7.78.

It is crucial for WordPress site owners to promptly update their plugins and extensions to minimize the risk of potential vulnerabilities being exploited. Regularly checking for updates and patches is an essential part of maintaining the security and integrity of websites.

Sources:

– PatchStack

– ServMask