The All-in-One WP Migration Extensions plugin, a popular tool for seamlessly migrating WordPress websites, has been found to suffer from a security vulnerability that allows unauthenticated users to update or delete access token configurations for the affected extensions.
This access token manipulation could result in a potential sensitive information disclosure of migration to the attacker’s controlled third-party account or restore a malicious backup.
The vulnerability, which has been assigned the CVE identifier CVE-2023-40004, affects the All-in-One WP Migration Box Extension, the All-in-One WP Migration Google Drive Extension, the All-in-One WP Migration OneDrive Extension, and the All-in-One WP Migration Dropbox Extension.
The vulnerable code is pretty identical on all of the 4 affected extensions. The underlying vulnerable code exists in the init
function (below is the example code from All-in-One WP Migration Box Extension) :
lib/controller/class-ai1wmbe-main-controller.php, function init()
public function init() {
if ( isset( $_GET['ai1wmbe_token'] ) ) {
update_option( 'ai1wmbe_box_token', urldecode( $_GET['ai1wmbe_token'] ) );
// Redirect to settings page
wp_redirect( network_admin_url( 'admin.php?page=ai1wmbe_settings' ) );
exit;
}
if ( AI1WMBE_PURCHASE_ID ) {
update_option( 'ai1wmbe_plugin_key', AI1WMBE_PURCHASE_ID );
}
}
The code difference from the other 3 extensions is only located on the naming of the ai1wmbe
value which differ on each of the affected extensions. Notice that the function itself will update the ai1wmbe_box_token
option from the $_GET['ai1wmbe_token']
value. The init
function itself is hooked to the WordPress’s admin_init
hook which is declared in activate_actions
function :
/**
* Register listeners for actions
*
* @return void
*/
private function activate_actions() {
add_action( 'admin_init', array( $this, 'init' ) );
add_action( 'admin_init', array( $this, 'router' ) );
add_action( 'admin_init', array( $this, 'load_textdomain' ) );
add_action( 'admin_head', array( $this, 'admin_head' ) );
-------------------------- CUTTED HERE --------------------------
The admin_init
hook itself could be triggered by unauthenticated user from the /wp-admin/wp-ajax.php
endpoint. Since there is no permission and nonce validation on the init
function, an unauthenticated is user able to modify or delete the access token used on each of the affected extensions.
The patch is as simple as adding permission and nonce validation on the init
function. Below is an example patch from the All-in-One WP Migration Box Extension:
Users of the impacted premium third-party extensions are advised to upgrade to the following fixed versions:
- Box Extension: v1.54
- Google Drive Extension: v2.80
- OneDrive Extension: v1.67
- Dropbox Extension: v3.76
Also, users are recommended to use the latest version of the (free) base plugin, All-in-One WP Migration v7.78.
Bijay Pokharel
Related posts
Recent Posts
Subscribe
Cybersecurity Newsletter
You have Successfully Subscribed!
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox. You are also consenting to our Privacy Policy and Terms of Use.