Platform
wordpress
Component
all-in-one-wp-migration
Fixed in
7.86.1
CVE-2024-9162 describes a critical vulnerability in the All-in-One WP Migration and Backup plugin for WordPress. This flaw allows authenticated attackers with administrator privileges to inject arbitrary PHP code, potentially leading to remote code execution. The vulnerability impacts versions of the plugin up to and including 7.86. A patch is available to resolve this issue.
The primary impact of CVE-2024-9162 is the potential for remote code execution (RCE) on WordPress websites utilizing the vulnerable plugin. An attacker, possessing administrator-level access, can craft a malicious export file with a .php extension. This file, when processed by the plugin, will execute the embedded PHP code on the server. This could allow an attacker to gain full control of the web server, steal sensitive data (user credentials, database information, website files), deface the website, or install malware. The blast radius extends to any website relying on this plugin and vulnerable to this injection technique.
CVE-2024-9162 was publicly disclosed on 2024-10-28. While no active exploitation campaigns have been definitively confirmed at the time of writing, the ease of exploitation and the widespread use of the All-in-One WP Migration plugin make it a high-priority target. There are currently public proof-of-concept exploits available, increasing the likelihood of exploitation. This vulnerability has not yet been added to the CISA KEV catalog.
Exploit Status
EPSS
62.61% (98% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-9162 is to immediately upgrade the All-in-One WP Migration and Backup plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider temporarily restricting file upload capabilities within the plugin's settings if possible. Web application firewalls (WAFs) configured to detect and block PHP code injection attempts targeting the plugin's export functionality can provide an additional layer of defense. Monitor WordPress logs for suspicious activity related to file uploads and PHP execution.
Actualice el plugin All-in-One WP Migration and Backup a la última versión disponible. La vulnerabilidad se encuentra en versiones anteriores a la 7.87. La actualización corregirá la falta de validación de tipo de archivo durante la exportación.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-9162 is a HIGH severity vulnerability in the All-in-One WP Migration plugin for WordPress, allowing attackers to inject PHP code via export files, potentially leading to remote code execution.
You are affected if you are using All-in-One WP Migration version 7.86 or earlier. Check your plugin version and upgrade immediately.
Upgrade the All-in-One WP Migration plugin to the latest available version. If upgrading is not possible, consider temporary workarounds like restricting file uploads.
While no confirmed active exploitation campaigns are currently known, the availability of public proof-of-concept exploits suggests a high likelihood of exploitation.
Refer to the official All-in-One WP Migration website and WordPress plugin repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.