This WordPress plugin with 5 million users could have a serious security flaw

News
By published

A migration tool can be abused to steal data

WordPress logo
(Image credit: WordPress)

Cybersecurity researchers from Patchstack recently discovered a high-severity flaw in a popular extension for WordPress, which allows threat actors to exfiltrate sensitive information from vulnerable websites.

The vulnerability is tracked as CVE-2023-40004, and is described as allowing unauthenticated users to access and tweak token configurations. The flaw was found in an extension called All-in-One WP Migration, which has five million active installations. 

This is an add-on that allows non-technical WP admins to quickly and seamlessly migrate their WP data from one place to another. That being said, the flaw could be abused to redirect website migration data to threat actors' own servers, or to restore malicious backups.

Multiple vulnerable add-ons

The flaw was discovered in mid-July this year and was subsequently reported to the plugin’s creators, ServMask. The company released an update roughly a week later, addressing the issue with permission and nonce validation to the init function. 

The silver lining, according to BleepingComputer, is that the extension is only used during migration and should not be active (and thus, a threat) at any other time. 

Read more

> WordPress plugin exposes half a million sites to attack

> How to build a website for free: A guide to creating a site on a budget

> Check out the best firewalls out there

The bad news is that the researchers found the same piece of vulnerable code in a few other extensions from the same manufacturer, including the Box extension, Google Drive extension, One Drive extension, and Dropbox extension.

To secure their websites, WP admins are advised to make sure their extensions are upgraded to these versions:

Box Extension: v1.54
Google Drive Extension: v2.80
OneDrive Extension: v1.67
Dropbox Extension: v3.76

All-in-One WP Migration should be upgraded to v7.78.

WordPress is by far the world’s most popular content management system (CMS), with roughly half of all internet websites powered by the product. As such, it’s a popular target among cybercriminals. 

While WordPress itself is generally considered safe, it’s the add-ons (mostly the free ones) that are usually the weakest link in the cybersecurity chain. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over a million WordPress sites exposed to attack from W3 Total Cache plugin flaw
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Top WordPress plugins found to have some serious security flaws, so make sure you're protected
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
WordPress
Another top WordPress plugin found carrying critical security flaws
Wordpress brand logo on computer screen. Man typing on the keyboard.
Thousands of WordPress sites targeted with malicious plugin backdoor attacks
Latest in Website Building
Wix automation
The world's leading website builder aims to save businesses time with new tool
Squarespace
Build a website for less with 10% off Squarespace subscriptions
Squarespace
Fresh season, fresh start— launch your dream website with Squarespace with this offer
Wix Printful
Wix teams up with Printful for in-house print-on-demand tools
Squarespace
Don't miss out on this great Squarespace deal
Hostinger Website Builder vs WordPress.com: Which is better?
Hostinger Website Builder vs WordPress.com: Battle of the WordPress website builders
Latest in News
Stability AI 3D Video
Stability AI’s new virtual camera turns any image into a cool 3D video and I’m blown away by how good it is
The Google Wallet app with a mode for kids shown on-screen.
Google Wallet’s new kid-friendly payment system is a win for parents
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months
Google Pixel 9a
Google is delaying the Pixel 9a to fix a mystery “component quality issue”
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar
Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years
More about website building
Squarespace

Fresh season, fresh start— launch your dream website with Squarespace with this offer
Wix automation

The world's leading website builder aims to save businesses time with new tool
AUSTIN, TEXAS - NOVEMBER 16: Ricardo Pepi #9 of the United States celebrates scoring during the second half of a Concacaf Nations League Quarterfinal Round leg 1 match against Trinidad and Tobago at Q2 Stadium on November 16, 2023 in Austin, Texas.

USA vs Panama live stream: watch CONCACAF Nations League semi-final 2025 online for free
See more latest
Most Popular
The Google Wallet app with a mode for kids shown on-screen.
Google Wallet’s new kid-friendly payment system is a win for parents
Comino Grando Server
Puget Systems partners with Comino to bring more affordable liquid cooled dual-CPU, 8-GPU systems to the masses
Stability AI 3D Video
Stability AI’s new virtual camera turns any image into a cool 3D video and I’m blown away by how good it is
Elecom 9,000mAh sodium-ion battery
This is the world's first sodium-ion mobile battery, a game changer in environmental sustainability, but it's not cheap
The bottom left corner of an Android phone, showing the Phone, Messages, Google icons and Google Search bar
Google Messages remote delete will soon save you from texting embarrassment – and here's how it works
Data center server room lit with green lights
Microsoft is MIA as Amazon, Meta, Google and others join consortium to triple nuclear energy output by 2050
Thrustmaster Sol-R flight stick
Thrustmaster announces the Sol-R 1 and Sol-R 2 HOSAS flight sticks designed for space sims like Elite Dangerous
Image of AC Shadows cover art & Steam Deck
It's not perfect, but Assassin's Creed Shadows' performance is impressive - it runs smoothly on the Steam Deck and Asus ROG Ally
Google Pixel 9a
Google is delaying the Pixel 9a to fix a mystery “component quality issue”
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedlyleft users exposed for months