Home » All-in-One WP Migration 2.0.4 Security Vulnerability

All-in-One WP Migration 2.0.4 Security Vulnerability

There is a serious security vulnerability in All-in-One WP Migration version 2.0.4. Update immediately. This vulnerability can allow users without any authentication to export a copy of your database, plugins, themes, and uploaded files.

My story

It wasn’t supposed to happen like this. I was setting up a couple of test servers for a project I’m working on and I wanted to be able to backup and move the data around easily. Why not try out one of the tools designed to do this rather than roll my own?

I found All-in-One WP Migration, with 40,000+ installs it should be solid. Of course, I couldn’t just install it and use it as is. I had to pull back the curtain and take a peek.

At first, I saw our familiar friend AJAX without proper protection, but the import call actually checked permission. The other exposed AJAX calls couldn’t really do anything useful/threatening.

Then I noticed this little gem:

controller

Could be benign as long as it’s called from some place that has some form of authorization. Unfortunately it is called from the ‘init’ action.

allinone-router

Luckily the import function is protected so you can’t make any changes, but there is plenty of fun stuff that can be exported.

allinone-cap

Just having access to the database should be enough to panic any site administrator, but having all of the uploads, themes, and plugins bundled up in a zip file is terrifying.

I will not distribute a PoC for this. Please upgrade your sites immediately!

Vendor Response

ServMask was very quick to respond and was planning on releasing an update asap. I suggested they contact plugins@wordpress.org and see if there is the possibility to have the plugin force updated like the Yoast WordPress SEO plugin update was last week.

Timeline

  • 3/12/2015 2:40pm Vendor contacted
  • 3/12/2015 2:47pm Vendor response
  • 3/14/2015 Update released on wordpress.org