Vulnerabilities > CVE-2022-2546 - Unspecified vulnerability in Servmask All-In-One WP Migration

CVSS 4.7 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

high complexity

servmask

NVD

Published: 2023-02-02

Updated: 2023-11-07

Summary

The All-in-One WP Migration WordPress plugin before 7.63 uses the wrong content type, and does not properly escape the response from the ai1wm_export AJAX action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response that will be executed in the victims session. Note: This requires knowledge of a static secret key

Vulnerable Configurations

Part	Description	Count
Application	Servmask Servmask ALL IN ONE WP Migration 7.39 Servmask ALL IN ONE WP Migration 7.40 Servmask ALL IN ONE WP Migration 7.41 Servmask ALL IN ONE WP Migration 7.42 Servmask ALL IN ONE WP Migration 7.43 Servmask ALL IN ONE WP Migration 7.44 Servmask ALL IN ONE WP Migration 7.45 Servmask ALL IN ONE WP Migration 7.46 Servmask ALL IN ONE WP Migration 7.47 Servmask ALL IN ONE WP Migration 7.48 Servmask ALL IN ONE WP Migration 7.49 Servmask ALL IN ONE WP Migration 7.50 Servmask ALL IN ONE WP Migration 7.51 Servmask ALL IN ONE WP Migration 7.52 Servmask ALL IN ONE WP Migration 7.53 Servmask ALL IN ONE WP Migration 7.54 Servmask ALL IN ONE WP Migration 7.55 Servmask ALL IN ONE WP Migration 7.56 Servmask ALL IN ONE WP Migration 7.57 Servmask ALL IN ONE WP Migration 7.58 Servmask ALL IN ONE WP Migration 7.59 Servmask ALL IN ONE WP Migration 7.60 Servmask ALL IN ONE WP Migration 7.61 Servmask ALL IN ONE WP Migration 7.62	24

References

https://wpscan.com/vulnerability/f84920e4-a1fe-47cf-9ba5-731989c70f58