A high-severity vulnerability was discovered and patched in the All-in-One WP Migration and Backup plugin, which has over five million installations. The vulnerability requires no user authentication, making it easier for an attacker to compromise a website, but this is mitigated by a restricted attack method.
The vulnerability was assigned a severity rating of 7.5 (High), which is below the highest severity level, labeled Critical.
Unauthenticated PHP Object Injection
The vulnerability is called an unauthenticated PHP object injection. But it’s less severe than a typical Unauthenticated PHP Object Injection where an attacker could directly exploit the vulnerability. This specific vulnerability requires that a user with administrator level credentials export and restore a backup with the plugin in order to trigger the exploit.
The way this kind of vulnerability works is that the WordPress plugin processes potentially malicious data during backup restoration without properly verifying it. But because there’s a narrow attack opportunity, it makes exploiting it less straightforward.
Nevertheless, if the right conditions are met, an attacker can delete files, access sensitive information, and run malicious code.
According to a report by Wordfence:
“The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.89 via deserialization of untrusted input in the ‘replace_serialized_values’ function.
This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must export and restore a backup in order to trigger the exploit.”
The vulnerability affects versions up to and including 7.89. Users of the plugin are recommended to update it to the latest version which at the time of writing is 7.90.
Read the Wordfence vulnerability advisory:
All in One WP Migration <= 7.89 – Unauthenticated PHP Object Injection
We all want to be satisfied, even though we know some people who will never be that way, and others who see satisfaction as a foreign emotion that they can’t hope to ever feel.
Newspaper Ads Canyon Crest CA
Click To See Full Page Ads
Click To See Half Page Ads
Click To See Quarter Page Ads
Click To See Business Card Size Ads
If you have questions before you order, give me a call @ 951-235-3518 or email @ canyoncrestnewspaper@gmail.com
Like us on Facebook Here
OpenAI ChatGPT Agent Marks A Turning Point For Businesses And SEO
OpenAI’s ChatGPT agent marks a change in how users interact with web pages and complete...
Daily Search Forum Recap: July 17, 2025
Barry Schwartz is the CEO of RustyBrick and a technologist, a New York Web service firm...
0 Comments