cleantalk
Vulnerabilities and Security Researches

All-in-One WP Migration, CVE-2024-9162

CVE, Research URL

CVE-2024-9162

Home page URL

Security reports for All-in-One WP Migration

Application

All-in-One WP Migration

Published on
Oct 28, 2024
Research Description
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code execution possible.
Affected versions
Min -, max 7.87.
Status
vulnerable
Previous vulnerability researches
All-in-One WP Migration (CVE-2021-24216) , Jun 07, 2024
All-in-One WP Migration (CVE-2022-1476) , Jun 07, 2024
All-in-One WP Migration (CVE-2022-2546) , Jun 07, 2024
All-in-One WP Migration (CVE-2024-9162) , Oct 28, 2024
All-in-One WP Migration (CVE-2024-10942) , Mar 13, 2025
New vulnerability
Abandoned Contact Form 7 (CVE-2025-52817) , Jun 29, 2025
Simple Payment (CVE-2025-6688) , Jun 29, 2025
SiteGuard WP Plugin , Jun 28, 2025
DirectIQ Email Marketing (CVE-2025-52829) , Jun 28, 2025
e.nigma buttons (CVE-2025-5535) , Jun 28, 2025