CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3455 – 1 Click WordPress Migration Plugin – 100% FREE for a limited time <= 2.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-3455
08 May 2025 — The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'start_restore' function in all versions up to, and including, 2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://www.wordfence.com/threat-intel/vulnerabilities/id/e982ae88-cfd0-46b9-ad64-00e398d307d6?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13555 – 1 Click WordPress Migration Plugin – 100% FREE for a limited time <= 2.1 - Cross-Site Request Forgery to Backup Process Cancellation
https://notcve.org/view.php?id=CVE-2024-13555
17 Feb 2025 — The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the cancel_actions() function. This makes it possible for unauthenticated attackers to cancel a triggered backup via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The 1 Click WordPress Migration Plugin – 100% ... • https://wordpress.org/plugins/1-click-migration • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13609 – 1 Click WordPress Migration Plugin – 100% FREE for a limited time <= 2.1 - Unauthenticated Sensitive Information Exposure via Database Backup in class-ocm-backup.php
https://notcve.org/view.php?id=CVE-2024-13609
17 Feb 2025 — The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1 via the class-ocm-backup.php. This makes it possible for unauthenticated attackers to extract sensitive data including usernames and their respective password hashes during a short window of time in which the backup is in process. The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulner... • https://plugins.trac.wordpress.org/browser/1-click-migration/trunk/inc/backup/class-ocm-backup.php • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •