Description
The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the 'Ai1wmve_Schedules_Controller::save' handler for 'admin_post_ai1wm_schedule_event_save' not verifying user capabilities before saving schedule data. This makes it possible for authenticated attackers, with subscriber-level access and above, to create scheduled export jobs and send backup notifications to attacker-controlled email addresses. Because such notifications include the random backup filename, full site backups can subsequently be downloaded from the target site, resulting in sensitive information exposure.
Published: 2026-05-06
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in a missing authorization check in the All‑in‑One WP Migration Unlimited Extension plugin. The handler for creating backup schedules does not verify user capabilities, allowing any authenticated user with subscriber-level or higher access to create scheduled export jobs and set email notifications. Because the notification includes a randomly generated backup filename, an attacker can subsequently download the full site backup, revealing sensitive site data. This flaw corresponds to CWE‑862, Unauthorized Access – Missing Authorization.

Affected Systems

The flaw affects WordPress sites that use the All‑in‑One WP Migration Unlimited Extension plugin from servmask. Versions up to and including 2.83 are impacted. Any site using these versions with WordPress user accounts that have subscriber or higher roles is at risk.

Risk and Exploitability

The flaw has a CVSS score of 6.5, indicating moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires an authenticated session; an attacker with subscriber-level privileges can create schedules and trigger backup file downloads. No additional exploitation steps are required beyond normal authentication within the WordPress dashboard.

Generated by OpenCVE AI on May 6, 2026 at 05:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the All‑in‑One WP Migration Unlimited Extension plugin to version 2.84 or later.
  • If an upgrade is not currently possible, temporarily disable the backup schedule creation feature or remove the vulnerable endpoint from the plugin’s admin interface.
  • Ensure that backup files are stored behind authenticated access and only administrators have download permissions.

Generated by OpenCVE AI on May 6, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Servmask
Servmask all-in-one Wp Migration Unlimited Extension
Wordpress
Wordpress wordpress
Vendors & Products Servmask
Servmask all-in-one Wp Migration Unlimited Extension
Wordpress
Wordpress wordpress

Wed, 06 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the 'Ai1wmve_Schedules_Controller::save' handler for 'admin_post_ai1wm_schedule_event_save' not verifying user capabilities before saving schedule data. This makes it possible for authenticated attackers, with subscriber-level access and above, to create scheduled export jobs and send backup notifications to attacker-controlled email addresses. Because such notifications include the random backup filename, full site backups can subsequently be downloaded from the target site, resulting in sensitive information exposure.
Title All-in-One WP Migration Unlimited Extension <= 2.83 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Backup Schedule Creation and Backup File Download
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-06T03:27:21.807Z

Reserved: 2026-04-07T16:14:53.795Z

Link: CVE-2026-5753

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T04:16:09.097

Modified: 2026-05-06T04:16:09.097

Link: CVE-2026-5753

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T09:21:18Z

Weaknesses