All-in-One WP Migration, a popular data migration plugin for WordPress sites with 5 million active installations, suffers from unauthenticated access token manipulation that could allow attackers to access sensitive site information.
All-in-One WP Migration is a user-friendly WordPress site migration tool for non-technical and inexperienced users, allowing seamless exports of databases, media, plugins, and themes into a single archive that is easy to restore on a new destination.
Patchstack reports that various premium extensions the plugin’s vendor ServMask offers all contain the same snippet of vulnerable code that lacks permission and nonce validation in the init function.
This code is present in the Box extension, Google Drive extension, One Drive extension, and Dropbox extension, which were created for facilitating data migration procedures using the said third-party platforms.
The flaw, tracked as CVE-2023-40004, allows unauthenticated users to access and manipulate token configurations on the affected extensions, potentially allowing attackers to divert website migration data to their own third-party cloud service accounts or restoring malicious backups.
The primary ramification of successfully exploiting CVE-2023-40004 is a data breach that might include user details, critical website data, and proprietary information.
The security problem is somewhat mitigated by the fact that All-in-One WP Migration is only used during site migration projects and should normally not be active at any other time.
The broken access control flaw was discovered by PatchStack’s researcher Rafie Muhammad, on July 18, 2023, and reported to ServMask for fixing.
The vendor released security updates on July 26, 2023, introducing permission and nonce validation to the init function.
Users of the impacted premium third-party extensions are advised to upgrade to the following fixed versions:
- Box Extension: v1.54
- Google Drive Extension: v2.80
- OneDrive Extension: v1.67
- Dropbox Extension: v3.76
Also, users are recommended to use the latest version of the (free) base plugin, All-in-One WP Migration v7.78.