Login

Tag Archives: All-in-One WP Migration

Plugin Security Scorecard Grade for All-in-One WP Migration

Checked on November 22, 2024
C

See issues causing the plugin to get less than A+ grade

7 Oct 2022

Not Really a WordPress Plugin Vulnerability, Week of October 7

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

PHP Object Injection in Easy WP SMTP

One of the changelog entries for version 1.4.9 of Easy WP SMTP is: [Read more]

29 Apr 2022

Wordfence Doesn’t Appear to Understand the Security Implications of a Backup Plugin

A little over a month ago we noted that Automattic’s WPScan didn’t appear to understand the concept of a backup plugin, as they claimed that 4+ million install WordPress backup plugin, All-in-One WP Migration, contained a vulnerability that:

allows administrators to upload PHP files on their site [Read more]

21 Mar 2022

The “Security Experts” at Automattic’s WPScan Don’t Appear to Understand the Concept of a Backup Plugin

One of the biggest problems we run into while compiling data on vulnerabilities in WordPress plugins these days is the amount of false reports out there. While there has been a problem with that for years, what makes it more problematic now is that “security experts” are spreading these false claims instead of knocking them down. One frequent source of that is WPScan, which is owned by the company closely connected with WordPress, Automattic. That entity is marketed with the claim that they are a “Dedicated team of WordPress security experts”, which doesn’t match up with we keep seeing.

Recently we saw what looked to be a hacker probing for usage of the plugin All-in-One WP Migration. We couldn’t find a good explanation for why that would be, either a recently fixed vulnerability in the plugin or an unfixed vulnerability that currently exists in the plugin. But WPScan did recently put out a false report of a vulnerability in the plugin that it seems like a hacker might have thought was something they could exploit. [Read more]

19 Jul 2019

Cross-Site Request Forgery (CSRF) Vulnerabilities in All-in-One WP Migration

While trying to understand a fix made to the plugin All-in-One WP Migration for an authenticated information disclosure vulnerability discovered by “Ed from siliconforks” while looking to add it to the data set for our service we noticed that the plugin at least still contains a couple of cross-site request forgery (CSRF) vulnerabilities. The overall design of the plugin looks like it might not be properly secured, but that may be intentional for a reason we don’t fully understand.

The plugin registers the function updater() from the class Ai1wm_Updater_Controller to be accessible through WordPress’ AJAX functionality to those logged in to WordPress with the “update_plugins” capability: [Read more]

1 Feb 2019

Not Really a WordPress Plugin Vulnerability, Week of February 1

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

SQL Injection Vulnerability in Add Code To Head, All-in-One WP Migration, Diamond MultiSite Widgets, Smush, and Yeloni Exit Popup

Related reports of SQL injection vulnerabilities in Add Code To Head, All-in-One WP MigrationDiamond MultiSite WidgetsSmush, and Yeloni Exit Popup appears to come from someone that has no idea what a SQL injection vulnerability is. As an example, take the plugin Add Code To Head, where they claim that there is this vulnerability in the file add-code-to-head.php despite there being no SQL statements in that file and the GET parameter “id” that is supposed to be utilized as part of this, isn’t used. What they are claiming proves that there is an issue is the following, which they refer to as a “SQL Database Error”: [Read more]