CVE-2024-9162 is a code injection vulnerability classified under CWE-94 affecting the All-in-One WP Migration and Backup plugin for WordPress, developed by yaniiliev. The vulnerability arises from insufficient validation of file types during the export process, allowing authenticated users with administrator-level privileges to generate export files with a .php extension on the server. By embedding arbitrary PHP code into these export files, attackers can achieve remote code execution (RCE) on the affected web server. This vulnerability affects all plugin versions up to and including 7.86. The CVSS v3.1 base score is 7.2, indicating high severity, with the vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, meaning the attack can be performed remotely over the network with low complexity but requires high privileges (administrator) and no user interaction. The scope is unchanged, but the impact on confidentiality, integrity, and availability is high due to the potential for full server compromise. No public exploits have been reported yet, but the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple administrators or less stringent access controls. The lack of file type validation during export is a critical design flaw that should be addressed by the vendor through patching. Until a patch is available, administrators should consider restricting export functionality or monitoring for suspicious export files with .php extensions.

The vulnerability allows attackers with administrator privileges to execute arbitrary PHP code on the web server hosting the WordPress site, potentially leading to full server compromise. This can result in unauthorized data access, data modification, defacement, malware deployment, or pivoting to internal networks. The confidentiality, integrity, and availability of the affected systems are severely impacted. Since WordPress powers a significant portion of the web, and the All-in-One WP Migration and Backup plugin is widely used for site backups and migrations, the scope of affected systems is substantial. Organizations relying on this plugin face risks including data breaches, service disruptions, and reputational damage. The requirement for administrator-level access limits exploitation to insiders or attackers who have already compromised an admin account, but the ease of code injection and potential for remote code execution make this a critical threat. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for remediation.

1. Immediately restrict administrator privileges to trusted personnel only and audit existing admin accounts for suspicious activity. 2. Disable or limit the export functionality in the All-in-One WP Migration and Backup plugin until a security patch is released. 3. Monitor the server filesystem for creation of unexpected .php files, especially in directories used by the plugin for exports. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests related to export operations. 5. Regularly back up WordPress sites using alternative secure methods that do not rely on vulnerable plugins. 6. Once the vendor releases a patch, promptly update the plugin to the fixed version. 7. Employ intrusion detection systems to identify anomalous PHP execution or file creation patterns. 8. Educate administrators on the risks of privilege misuse and enforce strong authentication mechanisms to prevent account compromise. 9. Consider isolating WordPress environments using containerization or sandboxing to limit the impact of potential code execution. 10. Review and harden server permissions to prevent unauthorized file creation or execution outside expected directories.