Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

servmask

Source -

CNANVDADP

BOS Name -

N/A

CNA CVEs -

1

ADP CVEs -

2

CISA CVEs -

0

NVD CVEs -

4
Related CVEsRelated ProductsRelated AssignersReports
6Vulnerabilities found
CVE-2025-8490
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-Not Assigned
Published-26 Aug, 2025 | 23:22
Updated-27 Aug, 2025 | 00:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
All-in-One WP Migration and Backup <= 7.97 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import

The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Import in all versions up to, and including, 7.97 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Action-Not Available
Vendor-servmask
Product-All-in-One WP Migration and Backup
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8852
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.29% / 51.97%
||
7 Day CHG~0.00%
Published-22 Oct, 2024 | 05:33
Updated-25 Oct, 2024 | 21:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
All-in-One WP Migration and Backup <= 7.86 - Unauthenticated Information Disclosure via Error Logs

The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.86 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information such as full paths contained in the exposed log files.

Action-Not Available
Vendor-servmaskyaniilievservmask
Product-all-in-one_wp_migrationAll-in-One WP Migration and Backupall-in-one_wp_migration
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-40004
Assigner-Patchstack
ShareView Details
Assigner-Patchstack
CVSS Score-7.3||HIGH
EPSS-4.58% / 88.78%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 12:03
Updated-02 Aug, 2024 | 18:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauth. Access Token Manipulation vulnerability in multiple ServMask WordPress plugins

Missing Authorization vulnerability in ServMask All-in-One WP Migration Box Extension, ServMask All-in-One WP Migration OneDrive Extension, ServMask All-in-One WP Migration Dropbox Extension, ServMask All-in-One WP Migration Google Drive Extension.This issue affects All-in-One WP Migration Box Extension: from n/a through 1.53; All-in-One WP Migration OneDrive Extension: from n/a through 1.66; All-in-One WP Migration Dropbox Extension: from n/a through 3.75; All-in-One WP Migration Google Drive Extension: from n/a through 2.79.

Action-Not Available
Vendor-ServMaskservmask
Product-All-in-One WP Migration Dropbox ExtensionAll-in-One WP Migration OneDrive ExtensionAll-in-One WP Migration Box ExtensionAll-in-One WP Migration Google Drive Extensionall-in-one_wp_migration
CWE ID-CWE-862
Missing Authorization
CVE-2022-2546
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.7||MEDIUM
EPSS-69.56% / 98.59%
||
7 Day CHG+5.35%
Published-02 Feb, 2023 | 08:28
Updated-26 Mar, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
All-in-One WP Migration < 7.63 - Unauthenticated Reflected XSS

The All-in-One WP Migration WordPress plugin before 7.63 uses the wrong content type, and does not properly escape the response from the ai1wm_export AJAX action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response that will be executed in the victims session. Note: This requires knowledge of a static secret key

Action-Not Available
Vendor-servmaskUnknown
Product-all-in-one_wp_migrationAll-in-One WP Migration
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-1476
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.6||MEDIUM
EPSS-23.16% / 95.72%
||
7 Day CHG~0.00%
Published-10 May, 2022 | 19:21
Updated-03 Aug, 2024 | 00:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The All-in-One WP Migration plugin for WordPress is vulnerable to arbitrary file deletion via directory traversal due to insufficient file validation via the ~/lib/model/class-ai1wm-backups.php file, in versions up to, and including, 7.58. This can be exploited by administrative users, and users who have access to the site's secret key.

Action-Not Available
Vendor-servmaskyaniiliev
Product-all-in-one_wp_migrationAll-in-One WP Migration
CVE-2021-24216
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-7.2||HIGH
EPSS-0.83% / 73.58%
||
7 Day CHG~0.00%
Published-07 Mar, 2022 | 08:15
Updated-03 Aug, 2024 | 19:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
All-in-One WP Migration < 7.41 - Admin+ Arbitrary File Upload to RCE

The All-in-One WP Migration WordPress plugin before 7.41 does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations.

Action-Not Available
Vendor-servmaskUnknown
Product-one-stop_wp_migrationAll-in-One WP Migration
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type