CVE-2026-5753

Name of the Vulnerable Software and Affected Versions All-in-One WP Migration Unlimited Extension versions prior to 2.84

Description The plugin is affected by missing authorization. The Ai1wmve Schedules Controller::save function for the 'admin post ai1wm schedule event save' endpoint does not verify user capabilities before saving schedule data. This allows authenticated attackers with subscriber-level access or higher to create scheduled export jobs and direct backup notifications to email addresses they control. Since these notifications contain the random backup filename, attackers can download full site backups, leading to the exposure of sensitive information.

Recommendations Update to a version later than 2.83.