WordPress Plugin Vulnerabilities

All-in-One WP Migration < 7.15 - Arbitrary Backup Download

Description

Lack of randomness in the backup filenames could allow unauthenticated attackers to guess and download them

Affects Plugins

Plugin icon
all-in-one-wp-migration
Fixed in 7.15

References

URL
https://vavkamil.cz/2020/03/25/all-in-one-wp-migration/

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
7.5 (high)

Miscellaneous

Original Researcher
vavkamil
Verified
Yes
WPVDB ID
ef4734a3-f12c-49ef-a49b-f00bd4a21ed9

Timeline

Publicly Published
2020-03-25 (about 4 years ago)
Added
2020-03-25 (about 4 years ago)
Last Updated
2021-03-23 (about 3 years ago)

Other

Published
Title
Published
2019-12-30
Title
Photo Gallery – Image Gallery by Ape <= 2.0.6 - Authenticated Arbitrary Plugin Deactivation
Published
2020-01-01
Title
Import Users From CSV with Meta 1.15 - Unauthorised Authenticated Users Export
Published
2020-05-28
Title
bbPress < 2.6.5 - Unauthenticated Privilege Escalation when New User Registration enabled
Published
2020-03-16
Title
LearnPress < 3.2.6.7 - Privilege Escalation
Published
2022-12-12
Title
iubenda < 3.3.3 - Subscriber+ Privileges Escalation to Admin