This WordPress plugin with 5 million users could have a serious security flaw
A migration tool can be abused to steal data
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Cybersecurity researchers from Patchstack recently discovered a high-severity flaw in a popular extension forWordPress, which allows threat actors to exfiltrate sensitive information from vulnerable websites.
The vulnerability is tracked as CVE-2023-40004, and is described as allowing unauthenticated users to access and tweak token configurations. The flaw was found in an extension called All-in-One WP Migration, which has five million active installations.
This is an add-on that allows non-technical WP admins to quickly and seamlessly migrate their WP data from one place to another. That being said, the flaw could be abused to redirect website migration data to threat actors' own servers, or to restore malicious backups.
Multiple vulnerable add-ons
The flaw was discovered in mid-July this year and was subsequently reported to the plugin’s creators, ServMask. The company released an update roughly a week later, addressing the issue with permission and nonce validation to the init function.
The silver lining, according to BleepingComputer, is that the extension is only used during migration and should not be active (and thus, a threat) at any other time.
WordPress plugin exposes half a million sites to attack>How to build a website for free: A guide to creating a site on a budget>Check out the best firewalls out there
The bad news is that the researchers found the same piece of vulnerable code in a few other extensions from the same manufacturer, including the Box extension,GoogleDrive extension, One Drive extension, and Dropbox extension.
To secure their websites, WP admins are advised to make sure their extensions are upgraded to these versions:
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Box Extension: v1.54Google Drive Extension: v2.80OneDrive Extension: v1.67Dropbox Extension: v3.76
All-in-One WP Migration should be upgraded to v7.78.
WordPress is by far the world’s most popular content management system (CMS), with roughly half of all internet websites powered by the product. As such, it’s a popular target among cybercriminals.
While WordPress itself is generally considered safe, it’s the add-ons (mostly the free ones) that are usually the weakest link in the cybersecurity chain.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Squarespace just launched its biggest update ever. I asked what that means for your business
Shopify just made it easier to access all your financial tools in one place
Your next smartwatch could be battery-free – and powered by your skin
