All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary PHP Code Injection
traduction en cours…Plateforme
wordpress
Composant
all-in-one-wp-migration
Corrigé dans
7.86.1
CVE-2024-9162 describes a critical vulnerability in the All-in-One WP Migration and Backup plugin for WordPress. This flaw allows authenticated attackers with administrator privileges to inject arbitrary PHP code, potentially leading to remote code execution. The vulnerability impacts versions of the plugin up to and including 7.86. A patch is available to resolve this issue.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
The primary impact of CVE-2024-9162 is the potential for remote code execution (RCE) on WordPress websites utilizing the vulnerable plugin. An attacker, possessing administrator-level access, can craft a malicious export file with a .php extension. This file, when processed by the plugin, will execute the embedded PHP code on the server. This could allow an attacker to gain full control of the web server, steal sensitive data (user credentials, database information, website files), deface the website, or install malware. The blast radius extends to any website relying on this plugin and vulnerable to this injection technique.
Contexte d'Exploitationtraduction en cours…
CVE-2024-9162 was publicly disclosed on 2024-10-28. While no active exploitation campaigns have been definitively confirmed at the time of writing, the ease of exploitation and the widespread use of the All-in-One WP Migration plugin make it a high-priority target. There are currently public proof-of-concept exploits available, increasing the likelihood of exploitation. This vulnerability has not yet been added to the CISA KEV catalog.
Qui Est à Risquetraduction en cours…
WordPress websites utilizing the All-in-One WP Migration and Backup plugin, particularly those with administrator accounts that are not adequately secured, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
Étapes de Détectiontraduction en cours…
• wordpress / composer / npm:
grep -r "php code injection" /var/www/html/wp-content/plugins/all-in-one-wp-migration/• wordpress / composer / npm:
wp plugin list --status=inactive | grep "all-in-one-wp-migration"• wordpress / composer / npm:
find /var/www/html/wp-content/uploads/ -name '*.php' -type f -mtime +7 -printChronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
62.61% (percentile 98%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Élevé — un compte administrateur ou privilégié est requis.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Informations sur le paquet
- Installations actives
- 5.0MGlobal
- Note du plugin
- 4.5
- Nécessite WordPress
- 3.3+
- Compatible jusqu'à
- 7.0
- Nécessite PHP
- 5.3+
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2024-9162 is to immediately upgrade the All-in-One WP Migration and Backup plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider temporarily restricting file upload capabilities within the plugin's settings if possible. Web application firewalls (WAFs) configured to detect and block PHP code injection attempts targeting the plugin's export functionality can provide an additional layer of defense. Monitor WordPress logs for suspicious activity related to file uploads and PHP execution.
Comment corrigertraduction en cours…
Actualice el plugin All-in-One WP Migration and Backup a la última versión disponible. La vulnerabilidad se encuentra en versiones anteriores a la 7.87. La actualización corregirá la falta de validación de tipo de archivo durante la exportación.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2024-9162 — PHP Code Injection in All-in-One WP Migration?
CVE-2024-9162 is a HIGH severity vulnerability in the All-in-One WP Migration plugin for WordPress, allowing attackers to inject PHP code via export files, potentially leading to remote code execution.
Am I affected by CVE-2024-9162 in All-in-One WP Migration?
You are affected if you are using All-in-One WP Migration version 7.86 or earlier. Check your plugin version and upgrade immediately.
How do I fix CVE-2024-9162 in All-in-One WP Migration?
Upgrade the All-in-One WP Migration plugin to the latest available version. If upgrading is not possible, consider temporary workarounds like restricting file uploads.
Is CVE-2024-9162 being actively exploited?
While no confirmed active exploitation campaigns are currently known, the availability of public proof-of-concept exploits suggests a high likelihood of exploitation.
Where can I find the official All-in-One WP Migration advisory for CVE-2024-9162?
Refer to the official All-in-One WP Migration website and WordPress plugin repository for the latest security advisories and updates.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.