The All-in-One WP Migration Extensions plugin, a popular tool for seamlessly migrating WordPress websites, has been found to suffer from a security vulnerability that allows unauthenticated users to update or delete access token configurations for the affected extensions.

This access token manipulation could result in a potential sensitive information disclosure of migration to the attacker’s controlled third-party account or restore a malicious backup.

The vulnerability, which has been assigned the CVE identifier CVE-2023-40004, affects the All-in-One WP Migration Box Extension, the All-in-One WP Migration Google Drive Extension, the All-in-One WP Migration OneDrive Extension, and the All-in-One WP Migration Dropbox Extension.

The vulnerable code is pretty identical on all of the 4 affected extensions. The underlying vulnerable code exists in the init function (below is the example code from All-in-One WP Migration Box Extension) :

lib/controller/class-ai1wmbe-main-controller.php, function init()
public function init() {
    if ( isset( $_GET['ai1wmbe_token'] ) ) {
        update_option( 'ai1wmbe_box_token', urldecode( $_GET['ai1wmbe_token'] ) );

        // Redirect to settings page
        wp_redirect( network_admin_url( 'admin.php?page=ai1wmbe_settings' ) );
        exit;
    }

    if ( AI1WMBE_PURCHASE_ID ) {
        update_option( 'ai1wmbe_plugin_key', AI1WMBE_PURCHASE_ID );
    }
}

The code difference from the other 3 extensions is only located on the naming of the ai1wmbe value which differ on each of the affected extensions. Notice that the function itself will update the ai1wmbe_box_token option from the $_GET['ai1wmbe_token'] value. The init function itself is hooked to the WordPress’s admin_init hook which is declared in activate_actions function :

/**
 * Register listeners for actions
 *
 * @return void
 */
private function activate_actions() {
    add_action( 'admin_init', array( $this, 'init' ) );
    add_action( 'admin_init', array( $this, 'router' ) );
    add_action( 'admin_init', array( $this, 'load_textdomain' ) );
    add_action( 'admin_head', array( $this, 'admin_head' ) );
-------------------------- CUTTED HERE --------------------------

The admin_init hook itself could be triggered by unauthenticated user from the /wp-admin/wp-ajax.php endpoint. Since there is no permission and nonce validation on the init function, an unauthenticated is user able to modify or delete the access token used on each of the affected extensions.

Buy Me A Coffee
READ
Western Sydney University Data Breach Exposed Student Data

The patch is as simple as adding permission and nonce validation on the init function. Below is an example patch from the All-in-One WP Migration Box Extension:

Users of the impacted premium third-party extensions are advised to upgrade to the following fixed versions:

  • Box Extension: v1.54
  • Google Drive Extension: v2.80
  • OneDrive Extension: v1.67
  • Dropbox Extension: v3.76

Also, users are recommended to use the latest version of the (free) base plugin, All-in-One WP Migration v7.78.