CVE-2022-2546

Name of the Vulnerable Software and Affected Versions All-in-One WP Migration WordPress plugin versions prior to 7.63

Description The issue allows an attacker to craft a request that, when submitted by any visitor, will inject arbitrary HTML or JavaScript into the response, which will be executed in the victim's session. This requires knowledge of a static secret key. The problem arises from the wrong content type being used and the response from the ai1wm export AJAX action not being properly escaped.

Recommendations For versions prior to 7.63, update to version 7.63 or later to resolve the issue. As a temporary workaround, consider restricting access to the ai1wm export AJAX action until a patch is available. Avoid using the All-in-One WP Migration WordPress plugin with untrusted visitors until the issue is resolved.