A brand new safety flaw has been found within the extensively used All-in-One WP Migration Extensions plugin, doubtlessly leaving hundreds of thousands of WordPress web sites weak to unauthorized entry token manipulation.
The All-in-One WP Migration plugin, a preferred instrument for seamlessly migrating WordPress web sites, boasts over 60 million installations. The plugin affords premium extensions, together with these for Field, Google Drive, OneDrive and Dropbox integration. These extensions allow customers emigrate content material to numerous third-party platforms with ease.
The vulnerability hinges on unauthenticated entry token manipulation. Hackers can exploit this flaw to replace or delete entry token configurations for the affected extensions. This unauthorized entry can result in the publicity of delicate data throughout migration, doubtlessly granting attackers entry to managed third-party accounts or the power to revive malicious backups.
The weak code was recognized by the safety analysis staff at PatchStack, led by Rafie Muhammad, within the init operate of the affected extensions. The flaw arises from inadequate permission and nonce validation, which permits unauthenticated customers to govern the entry token. The vulnerability might be triggered by way of the WordPress admin_init hook.
PatchStack really helpful that plugin and theme builders take precautions by implementing permission and nonce validation on capabilities hooked to admin_init. This mitigation technique might help forestall unauthorized entry and manipulation of delicate data.
Learn extra on WordPress vulnerabilities: WooCommerce Bug Exploited in Focused WordPress Assaults
PatchStack notified the plugin developer of this flaw on July 18. Subsequently, patched variations had been launched on July 26 to deal with the problem. The patched variations for every of the affected extensions are as follows:
- All-in-One WP Migration Field Extension: Model 1.54
- All-in-One WP Migration Google Drive Extension: Model 2.80
- All-in-One WP Migration OneDrive Extension: Model 1.67
- All-in-One WP Migration Dropbox Extension: Model 3.76
In mild of this safety lapse, All-in-One WP Migration Extensions customers are urged to replace their plugins instantly to the patched variations talked about within the safety advisory.
