A Broken Access Control vulnerability has been identified in the WordPress All-in-One WP Migration Dropbox Extension Plugin. This vulnerability allows an unprivileged user to perform actions that they are not authorized to do, such as exporting or deleting files.
This vulnerability was discovered and responsibly reported by Rafie Muhammad (Patchstack).
The vulnerability is a Broken Access Control vulnerability that occurs in the dropbox-api.php file. The vulnerability allows an unprivileged user to perform actions that they are not authorized to do by specifying a specially crafted URL.
Severity:
The vulnerability has a CVSS 3.1 score of 7.3, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.
Affected Versions:
The vulnerability affects WordPress websites that use the All-in-One WP Migration Dropbox Extension Plugin prior to version 3.76.
Impact:
An attacker who successfully exploits this vulnerability could:
- Export or delete files that they do not have permission to access.
- Modify or delete the plugin’s settings.
- Take control of the website.
Recommendation:
Users of the All-in-One WP Migration Dropbox Extension Plugin are strongly advised to update to version 3.76 or higher as soon as possible. This will fix the vulnerability and protect users from attacks.
