©2021 Reporters Post24. All Rights Reserved.
A high-severity vulnerability was discovered and patched in the All-in-One WP Migration and Backup plugin, which has over five million installations. The vulnerability requires no user authentication, making it easier for an attacker to compromise a website, but this is mitigated by a restricted attack method.
The vulnerability was assigned a severity rating of 7.5 (High), which is below the highest severity level, labeled Critical.
Unauthenticated PHP Object Injection
The vulnerability is called an unauthenticated PHP object injection. But it’s less severe than a typical Unauthenticated PHP Object Injection where an attacker could directly exploit the vulnerability. This specific vulnerability requires that a user with administrator level credentials export and restore a backup with the plugin in order to trigger the exploit.
The way this kind of vulnerability works is that the WordPress plugin processes potentially malicious data during backup restoration without properly verifying it. But because there’s a narrow attack opportunity, it makes exploiting it less straightforward.
Nevertheless, if the right conditions are met, an attacker can delete files, access sensitive information, and run malicious code.
According to a report by Wordfence:
“The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.89 via deserialization of untrusted input in the ‘replace_serialized_values’ function.
This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must export and restore a backup in order to trigger the exploit.”
The vulnerability affects versions up to and including 7.89. Users of the plugin are recommended to update it to the latest version which at the time of writing is 7.90.
Read the Wordfence vulnerability advisory:
All in One WP Migration <= 7.89 – Unauthenticated PHP Object Injection
The vulnerability, tracked as CVE-2023-40004, could allow unauthorized access and manipulation of sensitive website data. It lets unauthorized users access and manipulate token configurations on affected extensions. This could lead to the diversion of migration data to attacker-controlled destinations or the restoration of malicious backups.
This flaw extends beyond just the primary plugin. Several premium extensions, designed to facilitate migration through third-party services like Box, Google Drive, OneDrive and Dropbox, contain the exact snippet of vulnerable code.
The severity of this vulnerability is heightened by the sheer number of active installations, which stands at around 5 million. An attacker exploiting this flaw could gain access to comprehensive databases, user details, proprietary information, and other critical website data.
The All-in-One WP Migration plugin is generally only sometimes active and is used mainly during migration. However, the chance of a lapse in security is significantly increased by the high number of active installations.
After Rafie Muhammad’s discovery and report, ServMask acted quickly to release a security update on July 26, adding permission and nonce validation to the init function of the affected plugins and extensions.
Users who rely on All-in-One WP Migration and its associated extensions are strongly advised to update to the following patched versions:
- Box Extension: v1.54
- Google Drive Extension: v2.80
- OneDrive Extension: v1.67
- Dropbox Extension: v3.76
- All-in-One WP Migration: v7.78
Updating to these versions will patch the vulnerability and safeguard websites from exploitation.
For those using All-in-One WP Migration and its affected extensions, updating to the latest versions is not just a recommendation but an essential step in maintaining the integrity and security of their WordPress websites.
