- July 23, 2019
- Posted by: chaseadmin
- Category: Cybersecurity
Those who use the All-in-One WP Migration plugin are encouraged to update to version 7.0 as soon as possible as 6.97 contains an admin backend cross-site-scripting vulnerability.
An attacker would already have to be able to either compromise the database or gain access to a user account with high enough privileges to view the backup history, so some damage has already been done, but such an attacker could then also insert some XSS in order to compromise other admin users.
When double-clicking the backup description on the backup history overview page, in order to edit the description text, the text is not sanitized/escaped via html entities when generating the input field.
Details here: All-in-One WP