A vulnerability in a popular WordPress backup and migration plugin has been discovered, and it puts over 5 million WordPress based websites at risk. Researches at Wordfence discovered that the vulnerability, tracked as CVE-2024-10942 with a severity score of 7.5 (out of 10), in the All in One WP Migration and Backup plugin occurs in an unauthenticated PHP object injection.
Possibly during the backup or restore process, a function that converts specific strings back to PHP is not validating or sanitizing the input. They did note that there isn’t a POP (PHP object propagation) chain or risk of malicious execution within the plugin itself, but through and with other vulnerabilities can be exploited for further damage. This can include retrieval of sensitive files, deletion of files, or the execution of malicious code.
The vulnerability exists in versions 7.89 and below. The official WordPress Plugin Directory page for the plugin shows that the plugin is active in over five million websites.

As of today, a newer version with a patch has been released.
Webmasters of WordPress sites utilizing the All in One WP Migration and Backup plugin should update their plugins as soon as possible. You can update right through your dashboard’s “Updates” page. Users who update manually through other ways such as FTP can also grab the plugin’s latest version on their official plugin directory page.
Regular backups and verified restoration is crucial to a successful website, so your backup tool should be one of your most critical tools, along with regular updates which cause exploits and vulnerabilities that could be leveraged.
Learn more about Wordfence’s research and finds on their vulnerability database post here.
Leave a Reply