CVE-2026-5753 is a missing authorization vulnerability (CWE-862) in the All-in-One WP Migration Unlimited Extension plugin for WordPress, affecting versions up to and including 2.83. The issue arises because the 'Ai1wmve_Schedules_Controller::save' handler for the 'admin_post_ai1wm_schedule_event_save' action does not check user permissions before saving scheduled export jobs. This flaw allows authenticated users with low privileges (subscriber-level and above) to create scheduled export jobs and send backup notifications to email addresses controlled by attackers. Since these notifications include the random backup filename, attackers can subsequently download full site backups, leading to sensitive data exposure. The CVSS 3.1 base score is 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. No patch or official remediation is currently documented.

An attacker with subscriber-level access or higher can exploit this vulnerability to create scheduled export jobs and receive backup notifications containing backup filenames. This enables the attacker to download full site backups, resulting in the exposure of sensitive information stored on the WordPress site. The confidentiality impact is high, but integrity and availability are not affected.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict subscriber-level user access and monitor for unusual scheduled export jobs or backup notifications. Avoid granting unnecessary privileges to low-level users.