vulnerability

WordPress Plugin: all-in-one-wp-migration: CVE-2024-9162: Improper Control of Generation of Code ('Code Injection')

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:M/C:C/I:C/A:C)	Oct 27, 2024	May 15, 2025	Apr 30, 2026

Severity

CVSS

(AV:N/AC:L/Au:M/C:C/I:C/A:C)

Published

Oct 27, 2024

Added

May 15, 2025

Modified

Apr 30, 2026

Description

The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code execution possible.

Solution

all-in-one-wp-migration-plugin-cve-2024-9162

References

https://www.cve.org/CVERecord?id=CVE-2024-9162
https://www.wordfence.com/threat-intel/vulnerabilities/id/d97c3379-56c9-4261-9a70-3119ec121a40?source=api-prod
https://euvd.enisa.europa.eu/vulnerability/EUVD-2024-49764
CVE-2024-9162
https://attackerkb.com/topics/CVE-2024-9162
CWE-94
EUVD-EUVD-2024-49764

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report