Multiple Plugins from ServMask – Unauthenticated Access Token Update | CVE 2023-40004 | Plugin Vulnerabilities

Description

The plugins do not have authorisation in the init() function hooked to the admin_init action, allowing unauthenticated attackers to update the access token

Proof of Concept

With the All-in-One WP Migration Box Extension installed, open the below URL as unauthenticated:

https://example.com/wp-admin/admin-ajax.php?ai1wmbe_token=AAAA

Affects Plugins

all-in-one-wp-migration-box-extension

Fixed in 1.54

all-in-one-wp-migration-dropbox-extension

Fixed in 3.76

all-in-one-wp-migration-gdrive-extension

Fixed in 2.80

all-in-one-wp-migration-onedrive-extension

Fixed in 1.67

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

Yes

WPVDB ID

637bbd1d-2bf2-470e-8d19-bd48a2280530

Timeline

Publicly Published

2023-08-30 (about 2 years ago)

Added

2023-08-31 (about 2 years ago)

Last Updated

2023-08-31 (about 2 years ago)

Other

Published

Title

Published

2024-06-06

Title

Dashboard To-Do List < 1.3.0 - Missing Authorization via ardtdw_widgetsetup()

Published

2026-01-23

Title

Alchemist Ajax Upload <= 1.1 - Missing Authorization to Unauthenticated Arbitrary Media File Deletion

Published

2026-02-13

Title

Accordion and Accordion Slider < 1.4.6 - Missing Authorization to Authenticated (Contributor+) Attachment Metadata Modification

Published

2024-01-30

Title

WOLF – WordPress Posts Bulk Editor and Manager Professional < 1.0.8.2 - Missing Authorization

Published

2025-12-16

Title

Converter for Media < 6.4.0 - Subscriber+ Optimized Image Deletion via regenerate-attachment REST Endpoint