Those who use the All-in-One WP Migration plugin are encouraged to update to version 7.0 as soon as possible as 6.97 contains an admin backend cross-site-scripting vulnerability.
An attacker would already have to be able to either compromise the database or gain access to a user account with high enough privileges to view the backup history, so some damage has already been done, but such an attacker could then also insert some XSS in order to compromise other admin users.
When double-clicking the backup description on the backup history overview page, in order to edit the description text, the text is not sanitized/escaped via html entities when generating the input field.
Version 7.0 was released on the plugin directory about a day ago and patches the vulnerability. According to the stats on the WordPress plugin directory, All-in-One WP Migration is actively installed on more than two million sites.
A proof of concept will be published on July 24th which gives site owners about a week to update. Unfortunately, users who view the changelog prior to updating will not be able to determine it patches a security issue due to the patch being labeled as a general fix.
- Click to email this to a friend (Opens in new window)
- Click to share on Facebook (Opens in new window)
- Click to share on Twitter (Opens in new window)
- Click to share on Telegram (Opens in new window)
- Click to share on WhatsApp (Opens in new window)
- Click to share on Pocket (Opens in new window)
- Click to share on Reddit (Opens in new window)
- Website Security Tests Protect Against Application Vulnerabilities
- Important Facts About Web Server Security and Vulnerability Issues
- Migrate to TYPO3 With the Right Agency
- Pink Patch - Tips For Buying
- Break Up Or Patch Up - Moving on Or Getting Back Together After a Relationship Break Up
- Security Software and Vulnerability Assessment - A Must-Have Weapon in the War Against Botnets
- How Do I Apply the Conficker Patch?
- Church Data Security - 12 Steps to Help You Reduce Your Vulnerability to Serious Risks
- Safeguard Your Website From Hackers
- Botnet Attack Spreads Across Continents