CVE-2022-1476: 
WordPress vulnerability analysis and mitigation

The All-in-One WP Migration plugin for WordPress (versions up to and including 7.58) contains a vulnerability identified as CVE-2022-1476, discovered in April 2022. The plugin is susceptible to arbitrary file deletion via directory traversal due to insufficient file validation in the ~/lib/model/class-ai1wm-backups.php file. This vulnerability can be exploited by administrative users and users who have access to the site's secret key on WordPress instances with Windows hosts (NVD, WPScan).

The vulnerability is classified as a directory traversal issue (CWE-22) with a CVSS v3.1 base score of 6.5 (Medium) according to NVD, and 6.6 (Medium) according to Wordfence. The vulnerability exists in the file validation mechanism of the backup functionality, specifically in the ~/lib/model/class-ai1wm-backups.php file. The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) and no user interaction (UI:N) (NVD).

If successfully exploited, this vulnerability allows attackers with administrative access or knowledge of the site's secret key to perform arbitrary file deletion operations through directory traversal on affected WordPress installations running on Windows hosts (WPScan).

The vulnerability was patched in version 7.59 of the All-in-One WP Migration plugin. Users are advised to update to this version or later to protect against potential exploitation (WPScan).