CVE-2024-9162: 
WordPress vulnerability analysis and mitigation

The All-in-One WP Migration and Backup plugin for WordPress contains a vulnerability (CVE-2024-9162) that allows arbitrary PHP Code Injection due to missing file type validation during the export process in versions up to and including 7.86. This vulnerability affects WordPress installations with the plugin installed and requires administrator-level access or higher privileges (NVD, GitHub POC).

The vulnerability stems from insufficient file type validation in the export functionality. The issue involves the ai1wmsecretkey, a 12-character alphanumeric string created during plugin initialization, which is stored in plain text in the wp_options table and never rotates. Attackers can exploit this by creating an export file with a .php extension on the affected site's server and injecting arbitrary PHP code, potentially enabling remote code execution. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (GitHub POC).

When successfully exploited, this vulnerability allows authenticated attackers with administrator-level access to inject arbitrary PHP code into the server through maliciously crafted export files. This can lead to remote code execution capabilities on the affected WordPress installation, potentially compromising the entire website and server (NVD).

Website administrators should immediately update the All-in-One WP Migration and Backup plugin to a version newer than 7.86 when available. In the meantime, it is recommended to restrict administrator access and monitor for suspicious export activities in the plugin (NVD).