CVE-2024-13609 – The 1 Click WordPress Migration Plugin exposes ... (How to Fix)

Q: What is the severity of CVE-2024-13609?

CVE-2024-13609 has a CVSS score of 5.9 (MEDIUM). The 1 Click WordPress Migration Plugin exposes sensitive user data including usernames and password hashes during backup operations. Unauthenticated attackers can access this information during a brief window when backups are being created. All WordPress sites using this plugin up to version 2.1 are affected.

📋 TL;DR

The 1 Click WordPress Migration Plugin exposes sensitive user data including usernames and password hashes during backup operations. Unauthenticated attackers can access this information during a brief window when backups are being created. All WordPress sites using this plugin up to version 2.1 are affected.

💻 Affected Systems

Products:

1 Click WordPress Migration Plugin

Versions: All versions up to and including 2.1

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is present in default plugin configuration and requires no special settings to be exploitable.

📦 What is this software?

1 Click Migration by 1clickmigration

View all CVEs affecting 1 Click Migration →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain password hashes for all WordPress users, potentially enabling credential cracking and account takeover leading to site compromise.

🟠

Likely Case

Attackers harvest password hashes for administrative users, crack weak passwords, and gain administrative access to the WordPress site.

🟢

If Mitigated

With proper monitoring and short backup windows, attackers have limited opportunity to access exposed data before it's secured.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires timing to access backup files during creation window, but tools could automate this process.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 2.1

Vendor Advisory: https://plugins.trac.wordpress.org/browser/1-click-migration/trunk/inc/backup/class-ocm-backup.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find '1 Click WordPress Migration' plugin. 4. Click 'Update Now' if available. 5. If no update available, deactivate and delete the plugin.

🔧 Temporary Workarounds

Disable plugin backups

all

Temporarily disable backup functionality in the plugin settings to prevent exposure window

Restrict access to backup directory

linux

Add .htaccess rules to block web access to backup files

Order deny,allow
Deny from all

🧯 If You Can't Patch

Deactivate and remove the 1 Click WordPress Migration Plugin immediately
Implement web application firewall rules to block access to backup file paths

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for '1 Click WordPress Migration' version 2.1 or earlier

Check Version:

wp plugin list --name='1-click-migration' --field=version

Verify Fix Applied:

Verify plugin is either updated to version after 2.1 or completely removed from the WordPress installation

📡 Detection & Monitoring

Log Indicators:

Unusual access to backup files or directories
Multiple failed login attempts following backup operations

Network Indicators:

HTTP requests to backup file paths containing sensitive naming patterns

SIEM Query:

source="web_access_logs" AND (uri_path="/wp-content/backup*" OR uri_path="*class-ocm-backup*")

📊 Metadata

CVE ID: CVE-2024-13609

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 45.64% exploit probability (97.5th percentile)

Published: February 18, 2025

Last Updated: February 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13609, you might also want to check these: