Arbitrary PHP Code Injection Vulnerability in All-in-One WP Migration and Backup Plugin
CVE-2024-9162

7.2HIGH

Key Information:

Vendor: Wordpress
Status: All-in-one WP Migration And Backup
Vendor: CVE Published:; 28 October 2024

What is CVE-2024-9162?

The All-in-One WP Migration and Backup plugin for WordPress contains a vulnerability that allows authenticated attackers to inject arbitrary PHP code due to insufficient file type validation during the export process. This flaw affects all versions up to and including 7.86. Attackers with Administrator-level access can exploit this vulnerability by creating an export file with a .php extension on the server, thus executing arbitrary PHP code and potentially gaining remote command execution capabilities.

Affected Version(s)

All-in-One WP Migration and Backup * <= 7.86

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/all-in-one-wp-...

EPSS Score

40% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 28, 2024
Vulnerability Reserved
Sep 24, 2024

Credit

Ryan Kozak

Wordpress

What is CVE-2024-9162?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline

Credit