CVE-2024-9162
📋 TL;DR
This vulnerability allows authenticated WordPress administrators to inject arbitrary PHP code into export files created by the All-in-One WP Migration plugin. Attackers can create PHP files on the server, potentially leading to remote code execution. Only WordPress sites using vulnerable versions of this specific plugin are affected.
💻 Affected Systems
- All-in-One WP Migration and Backup plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.
Likely Case
Unauthorized PHP file creation leading to backdoor installation, data exfiltration, or website defacement.
If Mitigated
Limited impact if proper file permissions and web application firewalls block PHP execution from upload directories.
🎯 Exploit Status
Exploitation requires administrator credentials but is straightforward once authenticated. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.87
Vendor Advisory: https://wordpress.org/plugins/all-in-one-wp-migration/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'All-in-One WP Migration' and click 'Update Now'. 4. Verify version is 7.87 or higher.
🔧 Temporary Workarounds
Disable plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate all-in-one-wp-migration
Restrict PHP execution in uploads
linuxAdd .htaccess rule to prevent PHP execution in WordPress uploads directory
echo '<Files *.php>' > /path/to/wp-content/uploads/.htaccess
echo 'deny from all' >> /path/to/wp-content/uploads/.htaccess
echo '</Files>' >> /path/to/wp-content/uploads/.htaccess
🧯 If You Can't Patch
- Remove administrator access from untrusted users
- Implement web application firewall rules to block suspicious file uploads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → All-in-One WP Migration → Version. If version is 7.86 or lower, you are vulnerable.Check Version:
wp plugin get all-in-one-wp-migration --field=versionVerify Fix Applied:
After updating, confirm version shows 7.87 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual .php file creation in wp-content/uploads/ai1wm-backups/ directory
- Multiple export operations from single administrator account
- POST requests to /wp-admin/admin-ajax.php with action=ai1wm_export
Network Indicators:
- HTTP requests creating files with .php extension in backup directories
- Unusual outbound connections following export operations
SIEM Query:
source="wordpress.log" AND ("ai1wm_export" OR "/ai1wm-backups/") AND ".php"🔗 References
- https://github.com/d0n601/CVE-2024-9162
- https://plugins.trac.wordpress.org/browser/all-in-one-wp-migration/trunk/lib/controller/class-ai1wm-backups-controller.php#L60
- https://plugins.trac.wordpress.org/browser/all-in-one-wp-migration/trunk/lib/controller/class-ai1wm-export-controller.php#L36
- https://ryankozak.com/posts/CVE-2024-9162
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d97c3379-56c9-4261-9a70-3119ec121a40?source=cve
