A high-severity vulnerability was discovered and patched in the All-in-One WP Migration and Backup plugin, which has over five million installations. The vulnerability requires no user authentication, making it easier for an attacker to compromise a website, but this is mitigated by a restricted attack method.
The vulnerability was assigned a severity rating of 7.5 (High), which is below the highest severity level, labeled Critical.
Unauthenticated PHP Object Injection
The vulnerability is called an unauthenticated PHP object injection. But it’s less severe than a typical Unauthenticated PHP Object Injection where an attacker could directly exploit the vulnerability. This specific vulnerability requires that a user with administrator level credentials export and restore a backup with the plugin in order to trigger the exploit.
The way this kind of vulnerability works is that the WordPress plugin processes potentially malicious data during backup restoration without properly verifying it. But because there’s a narrow attack opportunity, it makes exploiting it less straightforward.
Nevertheless, if the right conditions are met, an attacker can delete files, access sensitive information, and run malicious code.
According to a report by Wordfence:
“The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.89 via deserialization of untrusted input in the ‘replace_serialized_values’ function.
This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must export and restore a backup in order to trigger the exploit.”
The vulnerability affects versions up to and including 7.89. Users of the plugin are recommended to update it to the latest version which at the time of writing is 7.90.
Read the Wordfence vulnerability advisory:
All in One WP Migration <= 7.89 – Unauthenticated PHP Object Injection
