Unauthorized Access Threat in All-in-One WP Migration: Immediate Updates Recommended

Reading Time: ( Word Count: )

August 31, 2023

The widely-used WordPress data migration tool, All-in-One WP Migration, boasting 5 million active installations, recently faced security challenges due to unauthorized access token manipulation. This vulnerability could potentially give cybercriminals a pathway to retrieve sensitive website data.

All-in-One WP Migration stands as a go-to solution for both tech-savvy and novice users. Its primary function is to consolidate various site elements like databases, media, themes, and plugins into one comprehensive archive. This makes migrating a site to a new location a breeze.

According to a report, the vulnerability arises from a specific piece of code found within the premium extensions offered by the plugin’s developer, ServMask. This code, which is uniformly present in extensions like Box, Google Drive, One Drive, and Dropbox, is responsible for aiding data migration to these third-party platforms. Alarmingly, this code lacked crucial permission and nonce validations.

nauthorized Access Threat in All-in-One WP Migration

The identified vulnerability, coded as CVE-2023-40004, exposes a potential risk where unauthorized users could tweak token configurations in the compromised extensions. This could provide an attacker with the means to reroute migration data to their cloud service accounts or even restore harmful backups.

Also Read: Beware the Fake Apps: MMRat Trojan’s Silent Invasion in Southeast Asia

If this vulnerability were to be fully exploited, it could lead to a significant data breach. This breach may encompass user personal information, essential website data, and proprietary assets.

However, it’s noteworthy that the risk is somewhat limited. The primary use of All-in-One WP Migration is during the website migration phase, meaning it isn’t active continuously.

PatchStack researcher, Rafie Muhammad, was the first to identify this security flaw on July 18, 2023. Promptly after, the discovery was communicated to ServMask for resolution.

To address the issue, ServMask rolled out security patches on July 26, 2023. These updates incorporate the much-needed permission and nonce checks in the problematic code. Those using the affected premium extensions should promptly update to the remedied versions:

  • Box Extension: v1.54
  • Google Drive Extension: v2.80
  • OneDrive Extension: v1.67
  • Dropbox Extension: v3.76

In addition to the above, it’s prudent for users to also install the most recent edition of the primary (free) All-in-One WP Migration plugin, which is version v7.78.

Saher Mahmood

Saher Mahmood


Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...

Submit a Comment

Your email address will not be published. Required fields are marked *