CVE-2024-9162

All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary PHP Code Injection

Description

The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code execution possible.

References

Link	Tags
https://www.wordfence.com/threat-intel/vulnerabilities/id/d97c3379-56c9-4261-9a70-3119ec121a40?source=cve
https://plugins.trac.wordpress.org/browser/all-in-one-wp-migration/trunk/lib/controller/class-ai1wm-backups-controller.php#L60
https://plugins.trac.wordpress.org/browser/all-in-one-wp-migration/trunk/lib/controller/class-ai1wm-export-controller.php#L36
https://github.com/d0n601/CVE-2024-9162
https://ryankozak.com/posts/CVE-2024-9162

Frequently Asked Questions

What is the severity of CVE-2024-9162?: CVE-2024-9162 has been scored as a high severity vulnerability.
How to fix CVE-2024-9162?: To fix CVE-2024-9162, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-9162 being actively exploited in the wild?: It is possible that CVE-2024-9162 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~38% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-9162?: CVE-2024-9162 affects yaniiliev All-in-One WP Migration and Backup.

Description

Category

CWE-94 – Improper Control of Generation of Code ('Code Injection')

References

Frequently Asked Questions