Data breaches likely with WordPress plugin vulnerability

Threat actors could leverage an already addressed vulnerability in the widely used WordPress data migration plugin All-in-One WP Migration to facilitate data breaches, according to BleepingComputer. Exploiting the broken access control flaw, tracked as CVE-2023-40004, could enable token configuration modifications in various extensions, including those for Google Drive, Box, OneDrive, and Dropbox, which could then facilitate website migration data diversion to attackers' third-party cloud services, as well as malicious backup recovery, a report from Patchstack showed. Malicious actors could then proceed to perform data breaches, resulting in the compromise of website data, user information, and proprietary details, said researchers, who noted that only the plugin's use in site migration has mitigated the flaw. Immediate installation of the plugin's latest version, All-in-One WP Migration v7.78, which resolves the vulnerability, has been urged. Users of impacted third-party extensions were also advised to upgrade to Google Drive Extension v2.80, Box Extension v1.54, OneDrive Extension v1.67, and Dropbox Extension v3.76.