WordPress migration add-on flaw could lead to data breaches

WordPress

All-in-One WP Migration, a popular data migration plugin for WordPress sites with 5 million active installations, suffers from unauthenticated access token manipulation that could allow attackers to access sensitive site information.

All-in-One WP Migration is a user-friendly WordPress site migration tool for non-technical and inexperienced users, allowing seamless exports of databases, media, plugins, and themes into a single archive that is easy to restore on a new destination.

Patchstack reports that various premium extensions the plugin’s vendor ServMask offers all contain the same snippet of vulnerable code that lacks permission and nonce validation in the init function.

This code is present in the Box extension, Google Drive extension, One Drive extension, and Dropbox extension, which were created for facilitating data migration procedures using the said third-party platforms.

The flaw, tracked as CVE-2023-40004, allows unauthenticated users to access and manipulate token configurations on the affected extensions, potentially allowing attackers to divert website migration data to their own third-party cloud service accounts or restoring malicious backups.

The primary ramification of successfully exploiting CVE-2023-40004 is a data breach that might include user details, critical website data, and proprietary information. 

The security problem is somewhat mitigated by the fact that All-in-One WP Migration is only used during site migration projects and should normally not be active at any other time.

The broken access control flaw was discovered by PatchStack’s researcher Rafie Muhammad, on July 18, 2023, and reported to ServMask for fixing.

The vendor released security updates on July 26, 2023, introducing permission and nonce validation to the init function.

Applied patch
Applied patch (Patchstack)

Users of the impacted premium third-party extensions are advised to upgrade to the following fixed versions:

  • Box Extension: v1.54
  • Google Drive Extension: v2.80
  • OneDrive Extension: v1.67
  • Dropbox Extension: v3.76

Also, users are recommended to use the latest version of the (free) base plugin, All-in-One WP Migration v7.78.


Original Source



A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

 To keep up to date follow us on the below channels.