CVE-2024-9162

🗓️ 28 Oct 2024 05:32:24Reported by WordfenceType

cve🔗 web.nvd.nist.gov👁 67 Views🌐 WEB

All-in-One WP Migration plugin for WordPress allows arbitrary PHP code injection via export functio

Reporter	Title	Published	Views	Family All 10
GithubExploit	Exploit for CVE-2024-9162	29 Sep 202419:34	–	githubexploit
Circl	CVE-2024-9162	28 Oct 202407:47	–	circl
CNNVD	WordPress plugin All-in-One WP Migration and Backup 代码注入漏洞	28 Oct 202400:00	–	cnnvd
Cvelist	CVE-2024-9162 All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary PHP Code Injection	28 Oct 202405:32	–	cvelist
NVD	CVE-2024-9162	28 Oct 202406:15	–	nvd
Patchstack	WordPress All-in-One WP Migration Plugin <= 7.86 is vulnerable to PHP Object Injection	28 Oct 202400:00	–	patchstack
Patchstack	WordPress All-in-One WP Migration and Backup plugin <= 7.86 - Authenticated (Administrator+) Arbitrary PHP Code Injection vulnerability	28 Oct 202408:08	–	patchstack
RedhatCVE	CVE-2024-9162	5 Feb 202504:26	–	redhatcve
Vulnrichment	CVE-2024-9162 All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary PHP Code Injection	28 Oct 202405:32	–	vulnrichment
Wordfence Blog	Wordfence Intelligence Weekly WordPress Vulnerability Report (October 21, 2024 to October 27, 2024)	31 Oct 202415:37	–	wordfence

Vulners

Vulnrichment

Node

servmask all-in-one_wp_migration_and_backupRange≤7.86wordpress

[
  {
    "vendor": "servmask",
    "product": "All-in-One WP Migration and Backup",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "7.86",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
plugins	www.plugins.trac.wordpress.org/browser/all-in-one-wp-migration/trunk/lib/controller/class-ai1wm-export-controller.php
plugins	www.plugins.trac.wordpress.org/browser/all-in-one-wp-migration/trunk/lib/controller/class-ai1wm-backups-controller.php
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/d97c3379-56c9-4261-9a70-3119ec121a40
github	www.github.com/d0n601/CVE-2024-9162
ryankozak	www.ryankozak.com/posts/CVE-2024-9162

Parameter	Position	Path	Description	CWE
action	request body	wp-admin/admin-ajax.php	Authenticated exploit via admin-ajax POST that injects a PHP payload through ai1wm_export/ai1wm_import flow.	CWE-94
ai1wm_export	request body	wp-admin/admin-ajax.php	Authenticated exploit via admin-ajax POST that injects a PHP payload through ai1wm_export/ai1wm_import flow.	CWE-94
ai1wm_import	request body	wp-admin/admin-ajax.php	Authenticated exploit via admin-ajax POST that injects a PHP payload through ai1wm_export/ai1wm_import flow.	CWE-94
archive	request body	wp-admin/admin-ajax.php	Authenticated exploit via admin-ajax POST that injects a PHP payload through ai1wm_export/ai1wm_import flow.	CWE-94
secret_key	request body	wp-admin/admin-ajax.php	Authenticated exploit via admin-ajax POST that injects a PHP payload through ai1wm_export/ai1wm_import flow.	CWE-94
priority	request body	wp-admin/admin-ajax.php	Authenticated exploit via admin-ajax POST that injects a PHP payload through ai1wm_export/ai1wm_import flow.	CWE-94
file	request body	wp-admin/admin-ajax.php	Authenticated exploit via admin-ajax POST that injects a PHP payload through ai1wm_export/ai1wm_import flow.	CWE-94
storage	request body	wp-admin/admin-ajax.php	Authenticated exploit via admin-ajax POST that injects a PHP payload through ai1wm_export/ai1wm_import flow.	CWE-94
replace	request body	wp-admin/admin-ajax.php	Authenticated exploit via admin-ajax POST that injects a PHP payload through ai1wm_export/ai1wm_import flow.	CWE-94
new_value	request body	wp-admin/admin-ajax.php	Authenticated exploit via admin-ajax POST that injects a PHP payload through ai1wm_export/ai1wm_import flow.	CWE-94

17 Jun 2026 08:24Current

7.6High risk

Vulners AI Score7.6

CVSS 3.17.2

EPSS0.02668

SSVC

CWE-94