CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10942 – All in One WP Migration <= 7.89 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-10942
12 Mar 2025 — The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.89 via deserialization of untrusted input in the 'replace_serialized_values' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retri... • https://plugins.trac.wordpress.org/browser/all-in-one-wp-migration/trunk/lib/vendor/servmask/database/class-ai1wm-database-utility.php#L97 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.3EPSS: 68%CPEs: 1EXPL: 1CVE-2024-9162 – All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary PHP Code Injection
https://notcve.org/view.php?id=CVE-2024-9162
27 Oct 2024 — The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code execution possible. • https://github.com/d0n601/CVE-2024-9162 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8852 – All-in-One WP Migration and Backup <= 7.86 - Unauthenticated Information Disclosure via Error Logs
https://notcve.org/view.php?id=CVE-2024-8852
21 Oct 2024 — The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.86 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information such as full paths contained in the exposed log files. • https://plugins.trac.wordpress.org/browser/all-in-one-wp-migration/tags/7.86/functions.php#L297 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •