Improper Privilege Management in All-in-One WP Migration plugin for WordPress
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | N/A |
| CWE-ID | CWE-269 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
All-in-One WP Migration Web applications / Modules and components for CMS |
| Vendor | ServMask |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Improper Privilege Management
EUVDB-ID: #VU26382
Risk: Medium
CVSSv3.1:
CVE-ID: N/A
CWE-ID:
CWE-269 - Improper Privilege Management
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to lack of randomness in the backup filenames. A remote attacker can perform a brute-force attack and download arbitrary backup.
MitigationInstall updates from vendor's website.
Vulnerable software versionsAll-in-One WP Migration: 6.77 - 7.14
CPE2.3 External linkshttp://wpvulndb.com/vulnerabilities/10151/
http://vavkamil.cz/2020/03/25/all-in-one-wp-migration/
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
