CVE-2022-1476

Name of the Vulnerable Software and Affected Versions All-in-One WP Migration plugin for WordPress versions up to, and including, 7.58

Description The issue arises from insufficient file validation via the ~/lib/model/class-ai1wm-backups.php file, allowing for arbitrary file deletion via directory traversal. This can be exploited by administrative users and users with access to the site's secret key, such as site secret key.

Recommendations For versions up to, and including, 7.58, update to a version higher than 7.58 to resolve the issue. As a temporary workaround, consider restricting access to the class-ai1wm-backups.php file until a patch is available. Restrict access to the site's secret key to minimize the risk of exploitation.