[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fYgoZrXjFopbewVywcL2AaY_7gmY28N5IP4yHGcOTiJA":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":20,"download_link":21,"security_score":22,"vuln_count":23,"unpatched_count":13,"last_vuln_date":24,"fetched_at":25,"vulnerabilities":26,"developer":43,"crawl_stats":32,"alternatives":51,"analysis":52,"fingerprints":289},"xserver-migrator","XServer Migrator","1.6.6","XServer","https:\u002F\u002Fprofiles.wordpress.org\u002Fxserverjp\u002F","\u003Cp>エックスサーバー株式会社が提供するレンタルサーバーサービスの「エックスサーバー」「wpX Speed」で「WordPress簡単移行機能」をご利用いただくためのプラグインです。\u003C\u002Fp>\n\u003Cp>本プラグインを利用すると、他社サーバーでお使いのWordPressを弊社のサーバーへ移行することができます。\u003C\u002Fp>\n\u003Ch4>利用対象\u003C\u002Fh4>\n\u003Cp>「エックスサーバー」「wpX Speed」をご契約のお客様のみ、無料でご利用いただけます。\u003C\u002Fp>\n\u003Cp>ご利用いただく際は、各レンタルサーバーサービスの「WordPress簡単移行機能」から、WordPressのURLとログイン情報を入力してください。\u003C\u002Fp>\n\u003Ch4>サポート\u003C\u002Fh4>\n\u003Cp>プラグインの使用方法は、マニュアルをご参照ください。\u003C\u002Fp>\n\u003Cp>　▼エックスサーバー マニュアル\u003Cbr \u002F>\n　　https:\u002F\u002Fwww.xserver.ne.jp\u002Fmanual\u002Fman_install_transfer_wp.php\u003C\u002Fp>\n\u003Cp>　▼wpX Speed マニュアル\u003Cbr \u002F>\n　　https:\u002F\u002Fwww.wpx.ne.jp\u002Fsupport\u002Fmanual\u002Fman_transfer_easy.php\u003C\u002Fp>\n","エックスサーバー株式会社が提供するレンタルサーバーサービスで「WordPress簡単移行機能」をご利用いただくためのプラグインです。",10000,198879,0,"2025-01-09T02:27:00.000Z","6.7.5","4.2.29","",[19],"xserver","https:\u002F\u002Fja.wordpress.org\u002Fplugins\u002Fxserver-migrator","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fxserver-migrator.1.6.6.zip",90,1,"2024-04-29 00:00:00","2026-03-15T15:16:48.613Z",[27],{"id":28,"url_slug":29,"title":30,"description":31,"plugin_slug":4,"theme_slug":32,"affected_versions":33,"patched_in_version":34,"severity":35,"cvss_score":36,"cvss_vector":37,"vuln_type":38,"published_date":24,"updated_date":39,"references":40,"days_to_patch":42},"CVE-2024-33913","xserver-migrator-cross-site-request-forgery-to-arbitrary-file-upload","Xserver Migrator \u003C= 1.6.2 - Cross-Site Request Forgery to Arbitrary File Upload","The Xserver Migrator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.2. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to upload arbitrary files granted they can trick a site administrator into performing an action such as clicking on a link.",null,"\u003C=1.6.2","1.6.2.1","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Cross-Site Request Forgery (CSRF)","2024-05-22 13:21:09",[41],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbde2a8a5-2d18-4659-bb35-dff4f521dbb4?source=api-prod",24,{"slug":44,"display_name":7,"profile_url":8,"plugin_count":45,"total_installs":46,"avg_security_score":47,"avg_patch_time_days":48,"trust_score":49,"computed_at":50},"xserverjp",2,110000,95,16,91,"2026-04-04T20:58:16.834Z",[],{"attackSurface":53,"codeSignals":101,"taintFlows":205,"riskAssessment":274,"analyzedAt":288},{"hooks":54,"ajaxHandlers":69,"restRoutes":97,"shortcodes":98,"cronEvents":99,"entryPointCount":100,"unprotectedCount":13},[55,60,64],{"type":56,"name":57,"callback":58,"file":59,"line":48},"action","admin_menu","add_admin_menu","packages\\class-xserver-migrator-admin.php",{"type":56,"name":61,"callback":62,"file":59,"line":63},"admin_head","add_admin_head",17,{"type":56,"name":65,"callback":66,"file":67,"line":68},"plugins_loaded","run_xserver_migrator","xserver-migrator.php",62,[70,77,81,85,89,93],{"action":71,"nopriv":72,"callback":73,"hasNonce":74,"hasCapCheck":72,"file":75,"line":76},"xserver_migrator_execute",false,"execute",true,"packages\\class-xserver-migrator.php",128,{"action":78,"nopriv":72,"callback":79,"hasNonce":74,"hasCapCheck":72,"file":75,"line":80},"xserver_migrator_get_versions_and_db_size","get_versions_and_db_size",129,{"action":82,"nopriv":72,"callback":83,"hasNonce":74,"hasCapCheck":72,"file":75,"line":84},"xserver_migrator_get_available_archive_methods","get_available_archive_methods",130,{"action":86,"nopriv":72,"callback":87,"hasNonce":74,"hasCapCheck":72,"file":75,"line":88},"xserver_migrator_create_challenge_token","create_challenge_token",131,{"action":90,"nopriv":72,"callback":91,"hasNonce":74,"hasCapCheck":72,"file":75,"line":92},"xserver_migrator_delete_challenge_token","delete_challenge_token",132,{"action":94,"nopriv":72,"callback":95,"hasNonce":74,"hasCapCheck":72,"file":75,"line":96},"xserver_migrator_get_table_prefix","get_table_prefix",133,[],[],[],6,{"dangerousFunctions":102,"sqlUsage":168,"outputEscaping":197,"fileOperations":203,"externalRequests":13,"nonceChecks":100,"capabilityChecks":45,"bundledLibraries":204},[103,108,110,114,117,120,122,125,128,131,134,137,140,143,146,149,152,154,157,160,163,165],{"fn":104,"file":105,"line":106,"context":107},"exec","packages\\archiver\\class-xserver-migrator-archiver.php",127,"exec( $command, $output, $return_var );",{"fn":104,"file":105,"line":109,"context":107},145,{"fn":104,"file":111,"line":112,"context":113},"packages\\class-xserver-migrator-server.php",100,"exec( 'pwd', $output, $return_var );",{"fn":104,"file":111,"line":115,"context":116},111,"exec( 'which zip', $output, $return_var );",{"fn":104,"file":111,"line":118,"context":119},116,"exec( 'type zip', $output, $return_var );",{"fn":104,"file":111,"line":106,"context":121},"exec( 'which zipinfo', $output, $return_var );",{"fn":104,"file":111,"line":123,"context":124},138,"exec( 'which tar', $output, $return_var );",{"fn":104,"file":111,"line":126,"context":127},143,"exec( 'type tar', $output, $return_var );",{"fn":104,"file":111,"line":129,"context":130},154,"exec( 'which mysqldump', $output, $return_var );",{"fn":104,"file":111,"line":132,"context":133},159,"exec( 'type mysqldump', $output, $return_var );",{"fn":104,"file":111,"line":135,"context":136},180,"exec( 'which find && which wc', $output, $return_var );",{"fn":104,"file":138,"line":139,"context":107},"packages\\database\\class-xserver-migrator-database-mysqldump-dumper.php",41,{"fn":104,"file":138,"line":141,"context":142},66,"exec( 'which mysqldump', $output, $status );",{"fn":104,"file":138,"line":144,"context":145},71,"exec( 'type mysqldump', $output, $status );",{"fn":104,"file":138,"line":147,"context":148},85,"exec( \"sed -i '' -e '\u002F^\\\u002F\\*!50013 DEFINER=\u002Fd' \" . $this->dump_file_path, $output, $status );",{"fn":104,"file":138,"line":150,"context":151},87,"exec( \"sed -i -e '\u002F^\\\u002F\\*!50013 DEFINER=\u002Fd' \" . $this->dump_file_path, $output, $status );",{"fn":104,"file":138,"line":47,"context":153},"exec( \"sed -i '' -r 's\u002F\\\u002F\\*\\!50020 DEFINER=`.*`@`localhost`\\*\\\u002F \u002F\u002Fg' \" . $this->dump_file_path, $out",{"fn":104,"file":138,"line":155,"context":156},97,"exec( \"sed -i -E 's\u002F\\\u002F\\*\\!50020 DEFINER=`.*`@`localhost`\\*\\\u002F \u002F\u002Fg' \" . $this->dump_file_path, $output",{"fn":104,"file":138,"line":158,"context":159},105,"exec( \"sed -i '' -r 's\u002FCREATE DEFINER=.+ (FUNCTION|PROCEDURE)\u002FCREATE \\\\1\u002Fg' \" . $this->dump_file_pat",{"fn":104,"file":138,"line":161,"context":162},107,"exec( \"sed -i -E 's\u002FCREATE DEFINER=.+\\s(FUNCTION|PROCEDURE)\u002FCREATE \\\\1\u002Fg' \" . $this->dump_file_path,",{"fn":104,"file":138,"line":118,"context":164},"exec( \"sed -i '' -e '\u002F^\\\u002F\\*.*\\\\\\- enable the sandbox mode\u002Fd' \" . $this->dump_file_path, $output, $st",{"fn":104,"file":138,"line":166,"context":167},118,"exec( \"sed -i -e '\u002F^\\\u002F\\*.*\\\\\\- enable the sandbox mode\u002Fd' \" . $this->dump_file_path, $output, $statu",{"prepared":100,"raw":169,"locations":170},11,[171,175,178,180,182,184,187,189,191,193,195],{"file":172,"line":173,"context":174},"packages\\database\\class-xserver-migrator-database-scratch-dumper.php",252,"$wpdb->get_var() with variable interpolation",{"file":172,"line":176,"context":177},255,"$wpdb->get_results() with variable interpolation",{"file":172,"line":179,"context":174},258,{"file":172,"line":181,"context":177},270,{"file":172,"line":183,"context":177},278,{"file":172,"line":185,"context":186},349,"$wpdb->get_row() with variable interpolation",{"file":172,"line":188,"context":186},373,{"file":172,"line":190,"context":186},395,{"file":172,"line":192,"context":186},416,{"file":172,"line":194,"context":186},437,{"file":172,"line":196,"context":186},458,{"escaped":198,"rawEcho":23,"locations":199},9,[200],{"file":59,"line":201,"context":202},32,"raw output",14,[],[206,222,250,265],{"entryPoint":207,"graph":208,"unsanitizedCount":23,"severity":221},"add_admin_head (packages\\class-xserver-migrator-admin.php:23)",{"nodes":209,"edges":219},[210,214],{"id":211,"type":212,"label":213,"file":59,"line":201},"n0","source","$_GET['page']",{"id":215,"type":216,"label":217,"file":59,"line":201,"wp_function":218},"n1","sink","echo() [XSS]","echo",[220],{"from":211,"to":215,"sanitized":72},"medium",{"entryPoint":223,"graph":224,"unsanitizedCount":45,"severity":221},"create_challenge_token (packages\\class-xserver-migrator.php:240)",{"nodes":225,"edges":245},[226,229,232,238,241,243],{"id":211,"type":212,"label":227,"file":75,"line":228},"$_POST['file_name']",249,{"id":215,"type":230,"label":231,"file":75,"line":228},"transform","→ create_file()",{"id":233,"type":216,"label":234,"file":235,"line":236,"wp_function":237},"n2","file_put_contents() [File Write]","packages\\class-xserver-migrator-ssl.php",31,"file_put_contents",{"id":239,"type":212,"label":240,"file":75,"line":228},"n3","$_POST['contents']",{"id":242,"type":230,"label":231,"file":75,"line":228},"n4",{"id":244,"type":216,"label":234,"file":235,"line":236,"wp_function":237},"n5",[246,247,248,249],{"from":211,"to":215,"sanitized":72},{"from":215,"to":233,"sanitized":72},{"from":239,"to":242,"sanitized":72},{"from":242,"to":244,"sanitized":72},{"entryPoint":251,"graph":252,"unsanitizedCount":45,"severity":221},"\u003Cclass-xserver-migrator> (packages\\class-xserver-migrator.php:0)",{"nodes":253,"edges":260},[254,255,256,257,258,259],{"id":211,"type":212,"label":227,"file":75,"line":228},{"id":215,"type":230,"label":231,"file":75,"line":228},{"id":233,"type":216,"label":234,"file":235,"line":236,"wp_function":237},{"id":239,"type":212,"label":240,"file":75,"line":228},{"id":242,"type":230,"label":231,"file":75,"line":228},{"id":244,"type":216,"label":234,"file":235,"line":236,"wp_function":237},[261,262,263,264],{"from":211,"to":215,"sanitized":72},{"from":215,"to":233,"sanitized":72},{"from":239,"to":242,"sanitized":72},{"from":242,"to":244,"sanitized":72},{"entryPoint":266,"graph":267,"unsanitizedCount":23,"severity":273},"\u003Cclass-xserver-migrator-admin> (packages\\class-xserver-migrator-admin.php:0)",{"nodes":268,"edges":271},[269,270],{"id":211,"type":212,"label":213,"file":59,"line":201},{"id":215,"type":216,"label":217,"file":59,"line":201,"wp_function":218},[272],{"from":211,"to":215,"sanitized":72},"low",{"summary":275,"deductions":276},"The xserver-migrator plugin v1.6.6 exhibits a mixed security posture. On the positive side, it demonstrates good practices by having a completely protected attack surface with all AJAX handlers and no exposed REST API routes or shortcodes. The output escaping is also excellent at 90%. However, several concerning aspects warrant attention. The presence of 22 dangerous function calls, specifically 'exec', is a significant red flag, indicating a potential for arbitrary code execution if not handled with extreme care and rigorous input validation. While taint analysis did not reveal critical or high severity issues in this specific scan, the fact that all 4 analyzed flows had unsanitized paths is concerning and suggests potential vulnerabilities that might be subtle or not fully captured by the current analysis.\n\nThe plugin's vulnerability history shows a single high-severity CVE in the past, identified as Cross-Site Request Forgery (CSRF). While this CVE is currently patched, the existence of a past high-severity vulnerability, even if resolved, indicates a history of security weaknesses. The pattern of past vulnerabilities, though limited in number, combined with the static analysis findings of 'exec' usage and unsanitized paths, suggests a need for continued vigilance and thorough security auditing. Overall, while the current version has a secure entry point exposure and good output sanitization, the deep-seated use of dangerous functions and the concerning taint analysis results point to underlying risks that could be exploited if inputs are not meticulously validated and handled.",[277,280,283,285],{"reason":278,"points":279},"Dangerous function 'exec' usage detected",15,{"reason":281,"points":282},"All taint flows had unsanitized paths",10,{"reason":284,"points":279},"Past high severity vulnerability (CSRF)",{"reason":286,"points":287},"SQL queries not always using prepared statements",5,"2026-03-16T17:36:05.761Z",{"wat":290,"direct":299},{"assetPaths":291,"generatorPatterns":294,"scriptPaths":295,"versionParams":296},[292,293],"\u002Fwp-content\u002Fplugins\u002Fxserver-migrator\u002Fpackages\u002Fcss\u002Fxserver-migrator-admin.css","\u002Fwp-content\u002Fplugins\u002Fxserver-migrator\u002Fpackages\u002Fjs\u002Fxserver-migrator-admin.js",[],[293],[297,298],"xserver-migrator\u002Fpackages\u002Fcss\u002Fxserver-migrator-admin.css?ver=","xserver-migrator\u002Fpackages\u002Fjs\u002Fxserver-migrator-admin.js?ver=",{"cssClasses":300,"htmlComments":301,"htmlAttributes":304,"restEndpoints":307,"jsGlobals":308,"shortcodeOutput":310},[],[302,303],"\u003C!-- Xserver Migrator -->","\u003C!-- Dump completed on YYYY-MM-DD HH:MM:SS -->",[305,306],"name=\"xserver-migrator-nonce\"","content=\"",[],[309],"window.xserver_migrator_nonce",[]]