Missing Authorization Vulnerability in All-in-One WP Migration Unlimited Extension Plugin
CVE-2026-5753

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: All-in-one WP Migration Unlimited Extension
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-5753?

The All-in-One WP Migration Unlimited Extension for WordPress exhibits a Missing Authorization issue due to the failure of the 'Ai1wmve_Schedules_Controller::save' handler to verify user capabilities when saving scheduled export jobs. This vulnerability allows authenticated users with subscriber-level access and above to create export jobs that may send backup notifications to malicious email addresses. These notifications leak sensitive information, including backup filenames, potentially enabling attackers to download full site backups and expose confidential data stored on the site.

Affected Version(s)

All-in-One WP Migration Unlimited Extension 0 <= 2.83

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://help.servmask.com/knowledgebase/unlimited-extensi...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Sélim Lanouar

CVE-2026-5753 Data

JSON