A new security flaw has been discovered in the widely used All-in-One WP Migration Extensions plugin, potentially leaving millions of WordPress websites vulnerable to unauthorized access token manipulation.
The All-in-One WP Migration plugin, a popular tool for seamlessly migrating WordPress websites, boasts over 60 million installations. The plugin offers premium extensions, including those for Box, Google Drive, OneDrive and Dropbox integration. These extensions enable users to migrate content to various third-party platforms with ease.
The vulnerability hinges on unauthenticated access token manipulation. Hackers can exploit this flaw to update or delete access token configurations for the affected extensions. This unauthorized access can lead to the exposure of sensitive information during migration, potentially granting attackers access to controlled third-party accounts or the ability to restore malicious backups.
The vulnerable code was identified by the security research team at PatchStack, led by Rafie Muhammad, in the init function of the affected extensions. The flaw arises from insufficient permission and nonce validation, which allows unauthenticated users to manipulate the access token. The vulnerability can be triggered via the WordPress admin_init hook.
PatchStack recommended that plugin and theme developers take precautions by implementing permission and nonce validation on functions hooked to admin_init. This mitigation strategy can help prevent unauthorized access and manipulation of sensitive information.
Read more on WordPress vulnerabilities: WooCommerce Bug Exploited in Targeted WordPress Attacks
PatchStack notified the plugin developer of this flaw on July 18. Subsequently, patched versions were released on July 26 to address the issue. The patched versions for each of the affected extensions are as follows:
- All-in-One WP Migration Box Extension: Version 1.54
- All-in-One WP Migration Google Drive Extension: Version 2.80
- All-in-One WP Migration OneDrive Extension: Version 1.67
- All-in-One WP Migration Dropbox Extension: Version 3.76
In light of this security lapse, All-in-One WP Migration Extensions users are urged to update their plugins immediately to the patched versions mentioned in the security advisory.