平台
wordpress
组件
all-in-one-wp-migration
修复版本
7.86.1
CVE-2024-9162 describes a critical vulnerability in the All-in-One WP Migration and Backup plugin for WordPress. This flaw allows authenticated attackers with administrator privileges to inject arbitrary PHP code, potentially leading to remote code execution. The vulnerability impacts versions of the plugin up to and including 7.86. A patch is available to resolve this issue.
The primary impact of CVE-2024-9162 is the potential for remote code execution (RCE) on WordPress websites utilizing the vulnerable plugin. An attacker, possessing administrator-level access, can craft a malicious export file with a .php extension. This file, when processed by the plugin, will execute the embedded PHP code on the server. This could allow an attacker to gain full control of the web server, steal sensitive data (user credentials, database information, website files), deface the website, or install malware. The blast radius extends to any website relying on this plugin and vulnerable to this injection technique.
CVE-2024-9162 was publicly disclosed on 2024-10-28. While no active exploitation campaigns have been definitively confirmed at the time of writing, the ease of exploitation and the widespread use of the All-in-One WP Migration plugin make it a high-priority target. There are currently public proof-of-concept exploits available, increasing the likelihood of exploitation. This vulnerability has not yet been added to the CISA KEV catalog.
WordPress websites utilizing the All-in-One WP Migration and Backup plugin, particularly those with administrator accounts that are not adequately secured, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "php code injection" /var/www/html/wp-content/plugins/all-in-one-wp-migration/• wordpress / composer / npm:
wp plugin list --status=inactive | grep "all-in-one-wp-migration"• wordpress / composer / npm:
find /var/www/html/wp-content/uploads/ -name '*.php' -type f -mtime +7 -printdisclosure
漏洞利用状态
EPSS
62.61% (98% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-9162 is to immediately upgrade the All-in-One WP Migration and Backup plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider temporarily restricting file upload capabilities within the plugin's settings if possible. Web application firewalls (WAFs) configured to detect and block PHP code injection attempts targeting the plugin's export functionality can provide an additional layer of defense. Monitor WordPress logs for suspicious activity related to file uploads and PHP execution.
Actualice el plugin All-in-One WP Migration and Backup a la última versión disponible. La vulnerabilidad se encuentra en versiones anteriores a la 7.87. La actualización corregirá la falta de validación de tipo de archivo durante la exportación.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-9162 is a HIGH severity vulnerability in the All-in-One WP Migration plugin for WordPress, allowing attackers to inject PHP code via export files, potentially leading to remote code execution.
You are affected if you are using All-in-One WP Migration version 7.86 or earlier. Check your plugin version and upgrade immediately.
Upgrade the All-in-One WP Migration plugin to the latest available version. If upgrading is not possible, consider temporary workarounds like restricting file uploads.
While no confirmed active exploitation campaigns are currently known, the availability of public proof-of-concept exploits suggests a high likelihood of exploitation.
Refer to the official All-in-One WP Migration website and WordPress plugin repository for the latest security advisories and updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。