All-in-One WP Migration, a well-liked knowledge migration plugin for WordPress websites with 5 million lively installations, suffers from unauthenticated entry token manipulation that would enable attackers to entry delicate website data.

All-in-One WP Migration is a user-friendly WordPress website migration software for non-technical and inexperienced customers, permitting seamless exports of databases, media, plugins, and themes right into a single archive that’s straightforward to revive on a brand new vacation spot.

Patchstack stories that varied premium extensions the plugin’s vendor ServMask gives all comprise the identical snippet of weak code that lacks permission and nonce validation within the init perform.

This code is current within the Field extension, Google Drive extension, One Drive extension, and Dropbox extension, which had been created for facilitating knowledge migration procedures utilizing the stated third-party platforms.

The flaw, tracked as CVE-2023-40004, permits unauthenticated customers to entry and manipulate token configurations on the affected extensions, probably permitting attackers to divert web site migration knowledge to their very own third-party cloud service accounts or restoring malicious backups.

The first ramification of efficiently exploiting CVE-2023-40004 is an information breach that may embrace consumer particulars, vital web site knowledge, and proprietary data. 

The safety drawback is considerably mitigated by the truth that All-in-One WP Migration is barely used throughout website migration tasks and may usually not be lively at another time.

The damaged entry management flaw was found by PatchStack’s researcher Rafie Muhammad, on July 18, 2023, and reported to ServMask for fixing.

The seller launched safety updates on July 26, 2023, introducing permission and nonce validation to the init perform.

Customers of the impacted premium third-party extensions are suggested to improve to the next fastened variations:

• Field Extension: v1.54
• Google Drive Extension: v2.80
• OneDrive Extension: v1.67
• Dropbox Extension: v3.76

Additionally, customers are beneficial to make use of the newest model of the (free) base plugin, All-in-One WP Migration v7.78.