Vulnerable Access Token Manipulation in All-in-One WP Migration Plugin

All-in-One WP Migration, a widely used data migration plugin for WordPress sites with 5 million active installations, has been found to have a security vulnerability that allows unauthenticated access token manipulation. This flaw could potentially enable attackers to gain access to sensitive information stored on affected websites.

All-in-One WP Migration is a user-friendly WordPress site migration tool designed for non-technical and inexperienced users. It allows seamless exports of databases, media, plugins, and themes into a single archive, which can be easily restored on a new destination.

Patchstack has reported that various premium extensions offered by the plugin’s vendor, ServMask, contain the same vulnerable code snippet. This code lacks permission and nonce validation in the init function.

The affected extensions, namely the Box extension, Google Drive extension, One Drive extension, and Dropbox extension, were created to facilitate data migration procedures using these third-party platforms.

Exploiting the vulnerability, known as CVE-2023-40004, allows unauthenticated users to access and manipulate token configurations on the affected extensions. This could potentially allow attackers to divert website migration data to their own third-party cloud service accounts or restore malicious backups.

The most significant consequence of successfully exploiting CVE-2023-40004 is a potential data breach that could expose user details, critical website data, and proprietary information.

It is worth noting that the security risk is somewhat mitigated by the fact that All-in-One WP Migration is typically only active during site migration projects and should not be active at other times.

The vulnerability was discovered by Rafie Muhammad, a researcher at PatchStack, on July 18, 2023. The issue was promptly reported to ServMask, who released security updates on July 26, 2023. These updates introduced permission and nonce validation to the init function, addressing the vulnerability.

Applied patch
Applied patch (Patchstack)

Users of the affected premium third-party extensions are strongly advised to upgrade to the following fixed versions:

  • Box Extension: v1.54
  • Google Drive Extension: v2.80
  • OneDrive Extension: v1.67
  • Dropbox Extension: v3.76

Additionally, all users are recommended to use the latest version of the free base plugin, All-in-One WP Migration v7.78, to ensure they are protected against potential vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *