Language Dropdown

High-Severity WordPress Backup Plugin Vulnerability Puts 5+ Million Websites at Risk

A recently discovered vulnerability in the popular All-in-One WP Migration and Backup plugin affects over five million WordPress websites. This high-severity flaw, rated 7.5 (High) on the Common Vulnerability Scoring System (CVSS), poses a security risk due to its potential exploitation method. However, the attack is limited in scope, reducing the likelihood of widespread abuse.

Understanding the Vulnerability: Unauthenticated PHP Object Injection

The flaw, classified as an Unauthenticated PHP Object Injection, allows attackers to manipulate data during backup restoration. Unlike typical unauthenticated PHP object injections that can be directly exploited, this vulnerability requires an administrator to export and restore a backup using the plugin, creating a narrower attack window.

If the exploit conditions are met, attackers could:

  • Delete critical files
  • Access sensitive data
  • Execute malicious code

Wordfence Security Report

According to a report from Wordfence, the vulnerability exists in all versions up to and including 7.89. It arises from untrusted input deserialization in the replace_serialized_values function. While no known Property-Oriented Programming (POP) chain has been identified in the affected software, an attacker could exploit it if another plugin or theme on the website contains a vulnerable POP chain.

Wordfence explains:

“The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.89 via deserialization of untrusted input. If a POP chain is present via an additional plugin or theme, it could allow attackers to delete arbitrary files, retrieve sensitive data, or execute code. However, an administrator must export and restore a backup to trigger the exploit.”

Recommended Action: Update to the Latest Version

To mitigate the risk, users are strongly advised to update the plugin immediately to the latest version, 7.90, which contains a patch for the vulnerability. Keeping plugins updated is essential to protect your website from potential security threats.

For more details, read the official Wordfence security advisory: All in One WP Migration <= 7.89 – Unauthenticated PHP Object Injection.

Facebook
LinkedIn
Threads
Reddit
Telegram
X
WhatsApp
Picture of Kumail Mehdi

Kumail Mehdi

I am a goal-driven person, I work well with people and like to challenge myself in different ways. I also want to have a great career that can develop me as an individual and an employer as well, so as to be part of a positive working environment where I can learn and grow. My interests include reading, swimming, and going out for fun.

Related Posts

Linkedin Facebook Youtube Dribbble Behance

All rights reserved