CVE-2024-13609
Published: 18 February 2025
Description
The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2 via the class-ocm-backup.php. This makes it possible for unauthenticated attackers to extract sensitive data including usernames and their respective password hashes during a short window of time in which the backup is in process.
Security Summary
CVE-2024-13609 is a sensitive information exposure vulnerability (CWE-200) affecting the 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress, in all versions up to and including 2.2. The flaw is located in the class-ocm-backup.php component and has a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating network accessibility with high attack complexity but high confidentiality impact.
Unauthenticated attackers can exploit the vulnerability during a short window of time while a backup process is active, enabling them to extract sensitive data such as usernames and their corresponding password hashes from the plugin.
Advisories from Wordfence provide further details on the vulnerability, while a patch is available in WordPress plugin changeset 3372639. The affected source code in class-ocm-backup.php can be reviewed via the plugin's Trac browser.
Details
- CWE(s)