At the core of our concerns lies WordPress security and the identification of potential plugin vulnerabilities. Today, we are sounding the alarm on a high-severity issue associated with the All-in-One WP Migration Google Drive Extension Plugin.
This vulnerability falls under the classification of Broken Access Control, specifically referring to the absence of authorization, authentication, or nonce token checks within a function. This flaw could enable an unprivileged user to execute actions typically reserved for higher-privileged users.
This vulnerability was discovered and responsibly reported by Rafie Muhammad (Patchstack).
The vulnerability has a CVSS 3.1 score of 7.3, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.
The vulnerability affects WordPress websites that use the All-in-One WP Migration Google Drive Extension Plugin prior to version 2.80.
An attacker who successfully exploits this vulnerability could:
- Export or delete files that they do not have permission to access.
- Modify or delete the plugin’s settings.
- Take control of the website.
Users of the All-in-One WP Migration Google Drive Extension Plugin are strongly advised to take the following actions:
- Update Immediately: Ensure the All-in-One WP Migration Google Drive Extension Plugin is updated to, at the very least, version 2.80, or install the latest available version. This update rectifies the Broken Access Control vulnerability and bolsters overall plugin security.
- Regular Security Audits: Conduct regular, comprehensive security audits on the WordPress website to proactively identify and address vulnerabilities. Consistent updates and proactive measures are fundamental to maintaining a secure online environment.
- Stay Informed: Stay informed about official updates or advisories pertaining to the All-in-One WP Migration Google Drive Extension Plugin. Timely updates and heightened awareness are integral to preserving the website’s security.