Security News > 2023 > August > WordPress migration add-on flaw could lead to data breaches
All-in-One WP Migration, a popular data migration plugin for WordPress sites with 5 million active installations, suffers from unauthenticated access token manipulation that could allow attackers to access sensitive site information.
All-in-One WP Migration is a user-friendly WordPress site migration tool for non-technical and inexperienced users, allowing seamless exports of databases, media, plugins, and themes into a single archive that is easy to restore on a new destination.
This code is present in the Box extension, Google Drive extension, One Drive extension, and Dropbox extension, which were created for facilitating data migration procedures using the said third-party platforms.
The flaw, tracked as CVE-2023-40004, allows unauthenticated users to access and manipulate token configurations on the affected extensions, potentially allowing attackers to divert website migration data to their own third-party cloud service accounts or restoring malicious backups.
The security problem is somewhat mitigated by the fact that All-in-One WP Migration is only used during site migration projects and should normally not be active at any other time.
WordPress Ninja Forms plugin flaw lets hackers steal submitted data.