CVE-2023-40004: 
WordPress vulnerability analysis and mitigation

CVE-2023-40004 is a Missing Authorization vulnerability affecting multiple extensions of the All-in-One WP Migration plugin developed by ServMask. The affected extensions include Box Extension (versions through 1.53), OneDrive Extension (versions through 1.66), Dropbox Extension (versions through 3.75), and Google Drive Extension (versions through 2.79). The vulnerability was discovered on July 18, 2023, and was publicly disclosed on August 30, 2023 (Patchstack Article).

The vulnerability stems from a missing authorization check in the init() function hooked to the WordPress admin_init action. The vulnerable code exists in all affected extensions with similar implementation patterns, allowing unauthenticated users to manipulate access tokens through the wp-admin/wp-ajax.php endpoint. The vulnerability has been assigned a CVSS v3.1 score of 7.3 (High) and is classified under CWE-862 (Missing Authorization) (WPScan).

The vulnerability allows any unauthenticated user to update or delete the access token configuration of the affected extensions. This could potentially lead to sensitive information disclosure by redirecting migrations to attacker-controlled third-party accounts or enabling the restoration of malicious backups (Patchstack Article).

The vulnerability has been patched in the following versions: Box Extension v1.54, Google Drive Extension v2.80, OneDrive Extension v1.67, and Dropbox Extension v3.76. Users are strongly advised to update to these fixed versions immediately. The patch implements proper permission and nonce validation on the init function (Patchstack Article).