ARTICLE AD BOX
A high-severity vulnerability affects the All-in-One WP Migration and Backup plugin, which is installed connected implicit 5 cardinal sites
A high-severity vulnerability was discovered and patched successful the All-in-One WP Migration and Backup plugin, which has implicit 5 cardinal installations. The vulnerability requires nary idiosyncratic authentication, making it easier for an attacker to compromise a website, but this is mitigated by a restricted onslaught method.
The vulnerability was assigned a severity standing of 7.5 (High), which is beneath the highest severity level, labeled Critical.
Unauthenticated PHP Object Injection
The vulnerability is called an unauthenticated PHP entity injection. But it’s little terrible than a emblematic Unauthenticated PHP Object Injection wherever an attacker could straight exploit the vulnerability. This circumstantial vulnerability requires that a idiosyncratic with head level credentials export and reconstruct a backup with the plugin successful bid to trigger the exploit.
The mode this benignant of vulnerability works is that the WordPress plugin processes perchance malicious information during backup restoration without decently verifying it. But due to the fact that there’s a constrictive onslaught opportunity, it makes exploiting it little straightforward.
Nevertheless, if the close conditions are met, an attacker tin delete files, entree delicate information, and tally malicious code.
According to a study by Wordfence:
“The All-in-One WP Migration and Backup plugin for WordPress is susceptible to PHP Object Injection successful each versions up to, and including, 7.89 via deserialization of untrusted input successful the ‘replace_serialized_values’ function.
This makes it imaginable for unauthenticated attackers to inject a PHP Object. No known POP concatenation is contiguous successful the susceptible software. If a POP concatenation is contiguous via an further plugin oregon taxable installed connected the people system, it could let the attacker to delete arbitrary files, retrieve delicate data, oregon execute code. An head indispensable export and reconstruct a backup successful bid to trigger the exploit.”
The vulnerability affects versions up to and including 7.89. Users of the plugin are recommended to update it to the latest mentation which astatine the clip of penning is 7.90.
Read the Wordfence vulnerability advisory:
All successful One WP Migration <= 7.89 – Unauthenticated PHP Object Injection
SEJ STAFF Roger Montti Owner - Martinibuster.com astatine Martinibuster.com
I person 25 years hands-on acquisition successful SEO, evolving on with the hunt engines by keeping up with the latest ...
![Win Higher-Quality Links: The PR Approach To SEO Success [Webinar] via @sejournal, @lorenbaker](https://www.searchenginejournal.com/wp-content/uploads/2025/03/featured-1-716.png)
English (US)