A recent discovery of a security flaw in the widely used All-in-One WP Migration Extensions plugin has raised concerns over the security of millions of WordPress websites. The plugin, renowned for its ability to seamlessly migrate WordPress sites, has an extensive user base of over 60 million installations.
Among its offerings are premium extensions designed to facilitate content migration to third-party platforms such as Box, Google Drive, OneDrive, and Dropbox. The vulnerability in question revolves around unauthenticated access token manipulation, which poses a significant risk to website owners. Exploiting this vulnerability, hackers could potentially modify or delete access token configurations associated with the affected extensions. This unauthorized manipulation opens the door to the exposure of sensitive data during the migration process, enabling attackers to gain unauthorized access to controlled third-party accounts or potentially inject malicious backups.
The security research team at PatchStack, under the leadership of Rafie Muhammad, unearthed the vulnerable code within the init function of the impacted extensions. The weakness is rooted in insufficient permission and nonce validation mechanisms, which allow unauthorized users to manipulate access tokens. The vulnerability can be triggered through the WordPress admin_init hook.
In response to this threat, PatchStack advised plugin and theme developers to incorporate permission and nonce validation measures into functions tied to admin_init. This proactive approach can mitigate unauthorized access and the manipulation of sensitive information.
Having identified this flaw on July 18, PatchStack promptly notified the plugin developer, resulting in patched versions being released on July 26 to address the vulnerability. Users of the All-in-One WP Migration Extensions are strongly advised to promptly update their plugins to the patched versions highlighted in the security advisory to safeguard their websites.