A WordPress Migration Plugin contains add-ons that suffers from a vulnerability that could result in sensitive information disclosure. The plugin is the All-In-One WP Migration plugin and the affected extensions are its Box extension, Google Drive extension, One Drive extension and dropbox extension. Those extensions suffers from unauthenticated access token manipulation which allows an attacker to update or delete the access token configuration of the affected extensions. The All-In-One WP Migration plugin is a popular and free data migration plugin for WordPress sites and has over 5 million active installations. The free plugin is not affected by the vulnerability, it is the premium extensions that are affected. Patches for those extensions have already been released. As this plugin is used for migrating WordPress sites, sites owners should follow security best practices and remove the plugin and extensions once the migration is completed.
https://patchstack.com/articles/pre-auth-access-token-manipulation-in-all-in-one-wp-migration-extensions/
https://www.bleepingcomputer.com/news/security/wordpress-migration-add-on-flaw-could-lead-to-data-breaches/
This segment was created for the It’s 5:05 podcast