[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fTgvGfwipG9mRQOkyaKpeZep4Z3wvC5gZxVjQujptv44":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-49043","wp-migrate-lite-migration-made-easy-cross-site-request-forgery","WP Migrate Lite – Migration Made Easy \u003C= 2.7.8 - Cross-Site Request Forgery","The WP Migrate Lite – Migration Made Easy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.8. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","wp-migrate-db",null,"\u003C=2.7.8","2.7.9","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-06-10 00:00:00","2026-06-15 19:21:24",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F313db01b-8ee8-4df1-9a86-0de1bad46921?source=api-prod",6,[22,23,24,25,26,27],"class\u002FCommon\u002FFilesystem\u002FFilesystem.php","class\u002FCommon\u002FHttp\u002FHttp.php","class\u002FCommon\u002FMigration\u002FMigrationHelper.php","frontend\u002Fbuild-free\u002Fasset-manifest.json","frontend\u002Fbuild-free\u002Fstatic\u002Fjs\u002F567.85af58f8fc2f.js","frontend\u002Fbuild-free\u002Fstatic\u002Fjs\u002F567.85af58f8fc2f.js.LICENSE.txt","researched",false,3,"result\n### 1. Vulnerability Summary\nThe **WP Migrate Lite** plugin (up to version 2.7.8) is vulnerable to **Cross-Site Request Forgery (CSRF)** due to missing or inadequate nonce validation on administrative actions. Specifically, the plugin implements a mechanism in `Http::http_verify_download()` that triggers file operations via the `Filesystem` class without verifying a WordPress nonce. \n\nWhile the plugin generates secure URLs for some actions (like diagnostic log downloads in `MigrationHelper.php`), it maintains an alternative, unprotected path in `Http::http_verify_download()` that responds to the `download` GET parameter. An attacker can trick a logged-in administrator into visiting a crafted URL, causing the server to execute filesystem actions (like generating or downloading migration files) without the administrator's intent.\n\n### 2. Attack Vector Analysis\n*   **Vulnerable Endpoint:** `wp-admin\u002Fadmin-ajax.php` (or any admin page if the hook is generic).\n*   **Vulnerable Action:** The `http_verify_download` function, which is triggered when the `download` parameter is present in a request.\n*   **HTTP Parameter:** `download` (GET).\n*   **Authentication Level:** Requires an authenticated administrator session (targeted via CSRF).\n*   **Preconditions:** The victim must be logged in as an administrator and click a malicious link or visit a page controlled by the attacker.\n\n### 3. Code Flow\n1.  **Entry Point:** The plugin registers various hooks","The WP Migrate Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) due to a lack of nonce validation in the http_verify_download function. This allows unauthenticated attackers to trigger sensitive filesystem actions, such as downloading migration files or diagnostic logs, by tricking a logged-in administrator into clicking a malicious link.","\u002F\u002F class\u002FCommon\u002FHttp\u002FHttp.php line 179\n\n    \u002F**\n     * Check for download\n     * if found prepare file for download\n     *\n     * @return void\n     *\u002F\n    function http_verify_download()\n    {\n        if (!empty($_GET['download'])) {\n            $this->filesystem->download_file();\n        }\n    }\n\n---\n\n\u002F\u002F class\u002FCommon\u002FMigration\u002FMigrationHelper.php line 103\n\n            'this_website_name'             => sanitize_title_with_dashes(DB_NAME),\n            'this_download_url'             => network_admin_url($this->props->plugin_base . '&download='),\n            'this_prefix'                   => $site_details['prefix'], \u002F\u002F TODO: Remove backwards compatibility.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-migrate-db\u002F2.7.8\u002Fclass\u002FCommon\u002FFilesystem\u002FFilesystem.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-migrate-db\u002F2.7.9\u002Fclass\u002FCommon\u002FFilesystem\u002FFilesystem.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-migrate-db\u002F2.7.8\u002Fclass\u002FCommon\u002FFilesystem\u002FFilesystem.php\t2023-05-18 13:24:40.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-migrate-db\u002F2.7.9\u002Fclass\u002FCommon\u002FFilesystem\u002FFilesystem.php\t2026-06-02 13:47:12.000000000 +0000\n@@ -785,12 +785,26 @@\n         $util->set_time_limit();\n \n         $raw_dump_name = htmlspecialchars($_GET['download'], ENT_QUOTES | ENT_HTML5);\n+        \u002F\u002F Strip any path components to prevent directory traversal\n+        $raw_dump_name = basename($raw_dump_name);\n         $dump_name     = $table_helper->format_dump_name($raw_dump_name);\n         $diskfile      = $this->get_upload_info('path') . DIRECTORY_SEPARATOR . $dump_name;\n         if ($is_full_site_export) {\n             $diskfile = $this->get_upload_info('path') . DIRECTORY_SEPARATOR . $raw_dump_name . '.zip';\n         }\n \n+        \u002F\u002F Verify the resolved path is within the plugin's upload directory\n+        $upload_path = realpath($this->get_upload_info('path'));\n+        if ($upload_path === false) {\n+            wp_die(__('Upload directory not found.', 'wp-migrate-db'));\n+        }\n+\n+        $resolved_diskfile = realpath($diskfile);\n+        if ($resolved_diskfile === false ||\n+            strpos($resolved_diskfile, $upload_path . DIRECTORY_SEPARATOR) !== 0) {\n+            wp_die(__('Invalid file path.', 'wp-migrate-db'));\n+        }\n+\n         $filename         = basename($diskfile);\n         $last_dash        = strrpos($filename, '-');\n         $salt             = substr($filename, $last_dash, 6);\n@@ -827,7 +841,7 @@\n                 wp_die(sprintf(__('\u003Ch3>Output prevented download. \u003C\u002Fh3> %s', 'wp-migrate-db'), $msg));\n             }\n         } else {\n-            wp_die(__('Could not find the file to download:', 'wp-migrate-db') . '\u003Cbr>' . esc_html($diskfile));\n+            wp_die(__('Could not find the file to download.', 'wp-migrate-db'));\n         }\n     }\n \ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-migrate-db\u002F2.7.8\u002Fclass\u002FCommon\u002FHttp\u002FHttp.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-migrate-db\u002F2.7.9\u002Fclass\u002FCommon\u002FHttp\u002FHttp.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-migrate-db\u002F2.7.8\u002Fclass\u002FCommon\u002FHttp\u002FHttp.php\t2024-02-08 19:11:30.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-migrate-db\u002F2.7.9\u002Fclass\u002FCommon\u002FHttp\u002FHttp.php\t2026-06-02 13:47:12.000000000 +0000\n@@ -179,8 +179,22 @@\n      *\u002F\n     function http_verify_download()\n     {\n-        if (!empty($_GET['download'])) {\n-            $this->filesystem->download_file();\n+        if (empty($_GET['download'])) {\n+            return;\n         }\n+\n+        \u002F\u002F Verify user has appropriate capability\n+        $cap = is_multisite() ? 'manage_network_options' : 'export';\n+        if (!current_user_can($cap)) {\n+            wp_die(__('You do not have permission to download files.', 'wp-migrate-db'));\n+        }\n+\n+        \u002F\u002F Verify nonce to prevent CSRF\n+        $nonce = isset($_GET['nonce']) ? $_GET['nonce'] : '';\n+        if (!wp_verify_nonce($nonce, 'wpmdb-download')) {\n+            wp_die(__('Security check failed. Please refresh the page and try again.', 'wp-migrate-db'));\n+        }\n+\n+        $this->filesystem->download_file();\n     }\n }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-migrate-db\u002F2.7.8\u002Fclass\u002FCommon\u002FMigration\u002FMigrationHelper.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-migrate-db\u002F2.7.9\u002Fclass\u002FCommon\u002FMigration\u002FMigrationHelper.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-migrate-db\u002F2.7.8\u002Fclass\u002FCommon\u002FMigration\u002FMigrationHelper.php\t2023-06-01 17:02:54.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-migrate-db\u002F2.7.9\u002Fclass\u002FCommon\u002FMigration\u002FMigrationHelper.php\t2026-06-02 13:47:12.000000000 +0000\n@@ -100,7 +100,7 @@\n             'this_uploads_dir'              => $site_details['uploads_dir'], \u002F\u002F TODO: Remove backwards compatibility.\n             'this_plugin_url'               => trailingslashit(plugins_url($this->props->plugin_folder_name)),\n             'this_website_name'             => sanitize_title_with_dashes(DB_NAME),\n-            'this_download_url'             => network_admin_url($this->props->plugin_base . '&download='),\n+            'this_download_url'             => network_admin_url($this->props->plugin_base . '&nonce=' . Util::create_nonce('wpmdb-download') . '&download='),\n             'this_prefix'                   => $site_details['prefix'], \u002F\u002F TODO: Remove backwards compatibility.\n             'this_temp_prefix'              => $this->props->temp_prefix,\n             'this_plugin_base'              => esc_html($this->props->plugin_base),","The exploit targets the unprotected `http_verify_download` function in the plugin's HTTP handler. An attacker crafts a URL targeting a WordPress administrator, appended with the `download` GET parameter (e.g., `wp-admin\u002Ftools.php?page=wp-migrate-db&download=backup_filename`). Since the plugin does not verify nonces or administrative capabilities before calling the file download method, the administrator's browser will execute the file operation automatically if they visit the link while authenticated. This can be used to exfiltrate database backups or diagnostic logs.","gemini-3-flash-preview","2026-06-26 01:33:31","2026-06-26 01:35:38",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","2.7.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-migrate-db\u002Ftags\u002F2.7.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-migrate-db.2.7.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-migrate-db\u002Ftags\u002F2.7.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-migrate-db.2.7.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-migrate-db\u002Ftags"]