WordPress Plugin Vulnerabilities

1 Click WordPress Migration Plugin – 100% FREE for a limited time < 2.3 - Cross-Site Request Forgery to Backup Process Cancellation

Description

The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the cancel_actions() function. This makes it possible for unauthenticated attackers to cancel a triggered backup via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
1-click-migration
Image Fixed in 2.3

References

CVE
CVE-2024-13555
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/aee963fa-26b5-4bf0-b52f-095c67fb4834

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Joshua Provoste
Verified
No
WPVDB ID
687ab34d-10b4-4282-a0bf-c1603da5d604

Timeline

Publicly Published
2025-02-17 (about 1 year ago)
Added
2025-02-17 (about 1 year ago)
Last Updated
2025-12-11 (about 4 months ago)

Other

Published
Title
Published
2019-06-27
Title
WP Better Permalinks <= 3.0.4 - CSRF allowing Option Update
Published
2025-11-25
Title
Quick Contact Form < 8.2.6 - Cross-Site Request Forgery
Published
2021-03-01
Title
eCommerce Product Catalog < 3.0.18 - Cross-Site Request Forgery
Published
2024-06-21
Title
ContentLock < 1.0.4 - Email Adding via CSRF
Published
2023-03-28
Title
IP Blocker Lite <= 11.1.1 - Cross-Site Request Forgery