Security Flaw in Popular WordPress Plugin Leaves Millions of Websites at Risk

All-in-One WP Migration, a popular WordPress plugin used for website migrations, has been found to harbor a critical security vulnerability that could put millions of websites at risk. This plugin streamlines the process of transferring WordPress site content, databases, media, plugins, and themes from one location to another.

Security researcher Rafie Muhammad of Patchstack identified the vulnerability and reported it on July 18 to the plugin's vendor, ServMask.

The vulnerability, tracked as CVE-2023-40004, could allow unauthorized access and manipulation of sensitive website data. It lets unauthorized users access and manipulate token configurations on affected extensions. This could lead to the diversion of migration data to attacker-controlled destinations or the restoration of malicious backups.

This flaw extends beyond just the primary plugin. Several premium extensions, designed to facilitate migration through third-party services like Box, Google Drive, OneDrive and Dropbox, contain the exact snippet of vulnerable code.

The severity of this vulnerability is heightened by the sheer number of active installations, which stands at around 5 million. An attacker exploiting this flaw could gain access to comprehensive databases, user details, proprietary information, and other critical website data.

The All-in-One WP Migration plugin is generally only sometimes active and is used mainly during migration. However, the chance of a lapse in security is significantly increased by the high number of active installations.

After Rafie Muhammad's discovery and report, ServMask acted quickly to release a security update on July 26, adding permission and nonce validation to the init function of the affected plugins and extensions.

Users who rely on All-in-One WP Migration and its associated extensions are strongly advised to update to the following patched versions:

• Box Extension: v1.54
• Google Drive Extension: v2.80
• OneDrive Extension: v1.67
• Dropbox Extension: v3.76
• All-in-One WP Migration: v7.78

Updating to these versions will patch the vulnerability and safeguard websites from exploitation.

For those using All-in-One WP Migration and its affected extensions, updating to the latest versions is not just a recommendation but an essential step in maintaining the integrity and security of their WordPress websites.