A vulnerability has been discovered in the popular WordPress site migration plugin, All-in-One WP Migration, which has over five million active installations worldwide. All-in-One WP Migration is marketed as a user-friendly WordPress site migration tool for users of all levels of technical experience, that facilitates the export of website databases, media, plugins, and themes into a single archive that makes it easy to restore on a new destination.
The vulnerability, designated CVE-2023-40004, allows unauthenticated users to access and manipulate token configurations, potentially allowing threat actors to send website migration data to their own infrastructure or restore malicious backups to the vulnerable site. Worse, successful exploitation of CVE-2023-40004 gives threat actors access to any user details, critical website data, and proprietary information stored on the site.
Fortunately, the threat posed by this vulnerability is tempered by the fact that All-in-One WP Migration is typically only used when sites are migrated and should normally not be active at any other time.
The bug affects plugin versions earlier than V7.78, which was released in August 2023 to address the flaw.
Source: Bleeping Computer
Analysis
WordPress is a popular content management system due to its affordability, ease of use, and repository of nearly 60,000 plugins. Unfortunately, it’s also a popular target for threat actors looking for infrastructure to host malware or serve as part of their command and control (C2) networks, due to the plethora of plugins users can install into their WordPress applications that are often misconfigured and not regularly updated.
For example, in early July 2023, WordPress advised its users to uninstall the popular Ultimate Member plugin until a patch was released to address a zero-day privilege escalation vulnerability. The flaw allowed threat actors to change their user meta value to define their role as an administrator, providing them with complete access to the site.
Mitigation
Field Effect strongly encourages users of the All-in-One WP Migration plugin to update to the latest version as soon as possible.
References
