CVE-2021-24216 – This vulnerability in the All-in-One WP Migrati... (How to Fix)

Q: What is the severity of CVE-2021-24216?

CVE-2021-24216 has a CVSS score of 7.2 (HIGH). This vulnerability in the All-in-One WP Migration WordPress plugin allows administrators to upload PHP files without proper file extension validation. Attackers with admin access can upload malicious PHP files, potentially leading to remote code execution. This affects WordPress sites using vulnerable plugin versions, including multisite installations.

📋 TL;DR

This vulnerability in the All-in-One WP Migration WordPress plugin allows administrators to upload PHP files without proper file extension validation. Attackers with admin access can upload malicious PHP files, potentially leading to remote code execution. This affects WordPress sites using vulnerable plugin versions, including multisite installations.

💻 Affected Systems

Products:

All-in-One WP Migration WordPress plugin

Versions: All versions before 7.41

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator access to exploit. Affects both single-site and multisite WordPress installations.

📦 What is this software?

One Stop Wp Migration by Servmask

View all CVEs affecting One Stop Wp Migration →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full site compromise via remote code execution, allowing attackers to execute arbitrary PHP code, steal data, install backdoors, or take complete control of the server.

🟠

Likely Case

Administrator accounts being compromised could lead to PHP file uploads, enabling backdoor installation, data exfiltration, or lateral movement within multisite environments.

🟢

If Mitigated

With proper file upload restrictions and admin account security, impact is limited to potential file system manipulation by already-compromised admin accounts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrator credentials. Attack chain is straightforward once admin access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.41 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2516181#file8

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find All-in-One WP Migration. 4. Click 'Update Now' if available, or manually update to version 7.41+. 5. Verify plugin version shows 7.41 or higher.

🔧 Temporary Workarounds

Restrict file uploads via .htaccess

linux

Block PHP file uploads at web server level

<FilesMatch "\.(php|php5|php7|phtml)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

Disable plugin

linux

Temporarily disable vulnerable plugin until patched

wp plugin deactivate all-in-one-wp-migration

🧯 If You Can't Patch

Remove administrator access from untrusted users
Implement web application firewall rules to block PHP file uploads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → All-in-One WP Migration → Version number

Check Version:

wp plugin list --name=all-in-one-wp-migration --field=version

Verify Fix Applied:

Confirm plugin version is 7.41 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual PHP file uploads via plugin endpoints
Admin users uploading .php files
POST requests to /wp-content/plugins/all-in-one-wp-migration/ with file uploads

Network Indicators:

File uploads to plugin-specific endpoints with PHP extensions
Unusual admin activity patterns

SIEM Query:

source="web_logs" AND (uri="/wp-content/plugins/all-in-one-wp-migration/" AND method="POST" AND file_extension="php")

📊 Metadata

CVE ID: CVE-2021-24216

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: March 7, 2022

Last Updated: November 21, 2024

🔗 References

https://plugins.trac.wordpress.org/changeset/2516181#file8 Patch,Third Party Advisory
https://wpscan.com/vulnerability/87c6052c-2628-4987-a9a3-a03b5ca1e083 Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/changeset/2516181#file8 Patch,Third Party Advisory
https://wpscan.com/vulnerability/87c6052c-2628-4987-a9a3-a03b5ca1e083 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24216, you might also want to check these: