CVE-2026-5753
Missing Authorization in All-in-One WP Migration Unlimited Extension
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| servmask | all-in-one_wp_migration_unlimited_extension | to 2.83 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The All-in-One WP Migration Unlimited Extension plugin for WordPress, up to version 2.83, has a Missing Authorization vulnerability. Specifically, the 'Ai1wmve_Schedules_Controller::save' handler for 'admin_post_ai1wm_schedule_event_save' does not verify user capabilities before saving schedule data.
This flaw allows authenticated users with subscriber-level access or higher to create scheduled export jobs and send backup notifications to email addresses controlled by attackers.
Because these notifications include the random backup filename, attackers can subsequently download full site backups from the target site, leading to exposure of sensitive information.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized full site backups being downloaded by attackers, exposing sensitive information stored on the WordPress site.
Attackers with minimal access (subscriber-level) can exploit this to create scheduled export jobs and receive backup notifications, which include filenames needed to download the backups.
The exposure of sensitive data can compromise the confidentiality of the website's content and user data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the All-in-One WP Migration Unlimited Extension plugin to version 2.83 or later, where the issue has been fixed.
The fix includes implementing path traversal validation to prevent unauthorized access to sensitive files and ensuring proper authorization checks before saving schedule data.
Until you can update, restrict access to the plugin's schedule event save handler to trusted users only, and monitor for suspicious scheduled export jobs or unexpected backup notifications.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated attackers to create scheduled export jobs and send backup notifications containing sensitive information to attacker-controlled email addresses. Because full site backups can be downloaded by attackers, this leads to exposure of sensitive information.
Exposure of sensitive information due to unauthorized access and data exfiltration can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and disclosure.