The widely-used WordPress data migration tool, All-in-One WP Migration, boasting 5 million active installations, recently faced security challenges due to unauthorized access token manipulation. This vulnerability could potentially give cybercriminals a pathway to retrieve sensitive website data.
All-in-One WP Migration stands as a go-to solution for both tech-savvy and novice users. Its primary function is to consolidate various site elements like databases, media, themes, and plugins into one comprehensive archive. This makes migrating a site to a new location a breeze.
According to a report, the vulnerability arises from a specific piece of code found within the premium extensions offered by the plugin’s developer, ServMask. This code, which is uniformly present in extensions like Box, Google Drive, One Drive, and Dropbox, is responsible for aiding data migration to these third-party platforms. Alarmingly, this code lacked crucial permission and nonce validations.
The identified vulnerability, coded as CVE-2023-40004, exposes a potential risk where unauthorized users could tweak token configurations in the compromised extensions. This could provide an attacker with the means to reroute migration data to their cloud service accounts or even restore harmful backups.
If this vulnerability were to be fully exploited, it could lead to a significant data breach. This breach may encompass user personal information, essential website data, and proprietary assets.
However, it’s noteworthy that the risk is somewhat limited. The primary use of All-in-One WP Migration is during the website migration phase, meaning it isn’t active continuously.
PatchStack researcher, Rafie Muhammad, was the first to identify this security flaw on July 18, 2023. Promptly after, the discovery was communicated to ServMask for resolution.
To address the issue, ServMask rolled out security patches on July 26, 2023. These updates incorporate the much-needed permission and nonce checks in the problematic code. Those using the affected premium extensions should promptly update to the remedied versions:
- Box Extension: v1.54
- Google Drive Extension: v2.80
- OneDrive Extension: v1.67
- Dropbox Extension: v3.76
In addition to the above, it’s prudent for users to also install the most recent edition of the primary (free) All-in-One WP Migration plugin, which is version v7.78.