WordPress Migration Add-on Flaw Could Lead to Data Breaches

Cyber Security Threat Summary:
Researchers found a vulnerability in the widely-used plugin, All-in-One WP Migration, employed for migrating WordPress sites, and having an active user base of 5 million. This vulnerability involves unauthorized manipulation of access tokens, potentially granting attackers access to sensitive site data. All-in-One WP Migration is a user-friendly tool tailored for WordPress site migration. It accommodates both non-technical and inexperienced users, facilitating smooth exports of databases, media, plugins, and themes. These components are packed into a single archive, simplifying restoration on a new destination.

Reported by Patchstack, the plugin's vendor, ServMask, has several premium extensions, each containing an identical piece of vulnerable code. This code lacks proper permission and nonce validation within the init function. This particular code is found within extensions such as Box, Google Drive, OneDrive, and Dropbox. These extensions were designed to streamline the process of migrating data using these external platforms.

“The flaw, tracked as CVE-2023-40004, allows unauthenticated users to access and manipulate token configurations on the affected extensions, potentially allowing attackers to divert website migration data to their own third-party cloud service accounts or restoring malicious backups.” (BleepingComputer, 2023).

Security Officer Comments:
The main consequence of effectively leveraging CVE-2023-40004 is a potential exposure of sensitive user information, essential website data, and confidential proprietary data. This security concern is partially lessened due to the limited usage of All-in-One WP Migration, primarily during website migration tasks, rather than being active continuously. Rafie Muhammad, a researcher from PatchStack, identified a flaw in access control, which was reported to ServMask for resolution on July 18, 2023. Subsequently, the vendor issued security patches on July 26, 2023, implementing permission and nonce validation within the init function to address the issue

Suggested Correction(s):
Users of the impacted premium third-party extensions are advised to upgrade to the following fixed versions:

  • Box Extension: v1.54
  • Google Drive Extension: v2.80
  • OneDrive Extension: v1.67
  • Dropbox Extension: v3.76
  • Also, users are recommended to use the latest version of the (free) base plugin, All-in-One WP Migration v7.78.