Cybersecurity researchers from Patchstack recently discovered a high-severity flaw in a popular extension for WordPress, which allows threat actors to exfiltrate sensitive information from vulnerable websites.
The vulnerability is tracked as CVE-2023-40004, and is described as allowing unauthenticated users to access and tweak token configurations. The flaw was found in an extension called All-in-One WP Migration, which has five million active installations.
This is an add-on that allows non-technical WP admins to quickly and seamlessly migrate their WP data from one place to another. That being said, the flaw could be abused to redirect website migration data to threat actors’ own servers, or to restore malicious backups.
Multiple vulnerable add-ons
The flaw was discovered in mid-July this year and was subsequently reported to the plugin’s creators, ServMask. The company released an update roughly a week later, addressing the issue with permission and nonce validation to the init function.
The silver lining, according to BleepingComputer, is that the extension is only used during migration and should not be active (and thus, a threat) at any other time.
The bad news is that the researchers found the same piece of vulnerable code in a few other extensions from the same manufacturer, including the Box extension, Google Drive extension, One Drive extension, and Dropbox extension.
To secure their websites, WP admins are advised to make sure their extensions are upgraded to these versions:
Box Extension: v1.54
Google Drive Extension: v2.80
OneDrive Extension: v1.67
Dropbox Extension: v3.76
All-in-One WP Migration should be upgraded to v7.78.
WordPress is by far the world’s most popular content management system (CMS), with roughly half of all internet websites powered by the product. As such, it’s a popular target among cybercriminals.
While WordPress itself is generally considered safe, it’s the add-ons (mostly the free ones) that are usually the weakest link in the cybersecurity chain.