ServMask All-in-One WP Migration
Moderate fix1 remedy
cpe:2.3:a:servmask:all-in-one_wp_migration:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 7.89
All-in-One WP Migration PHP Object Injection Vulnerability
Vulnerability
Patched
A PHP Object Injection vulnerability has been identified in the All-in-One WP Migration and Backup plugin for WordPress, affecting all versions through 7.89. The vulnerability arises from the deserialization of untrusted input in the 'replace_serialized_values' function, allowing unauthenticated attackers to inject PHP objects. While no known payload chain exists within the vulnerable software itself, the presence of such a chain through an additional plugin or theme could enable an attacker to delete arbitrary files, access sensitive data, or execute code. To exploit this vulnerability, an administrator must export and restore a backup.
Impact
Exploitation of this vulnerability could lead to unauthorized PHP object injection, with the potential for additional impacts depending on the presence of a suitable payload execution chain through other installed plugins or themes.
Remediation
Users are advised to update the All-in-One WP Migration and Backup plugin to version 7.90 or a newer patched version.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
7.6impact
7.5exploitability
7.2remediation
7.7relevance
0.0threat
3.2urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.