cbcvebase.
CVE-2024-13609
published 2025-02-18

CVE-2024-13609: The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up…

PriorityP277medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.57%
72.4th percentile
The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2 via the class-ocm-backup.php. This makes it possible for unauthenticated attackers to extract sensitive data including usernames and their respective password hashes during a short window of time in which the backup is in process.

Affected

2 ranges
VendorProductVersion rangeFixed in
1clickmigration1_click_migration<= 2.1
1clickmigration1_click_migration_backup_free_wordpress_migration_plugin_with_zero_downtime_easy<= 2.2

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/tmp/db/wp_users.sql
path/wp-content/tmp/db/wp_usermeta.sql
path/wp-content/tmp/db/wp_options.sql
path/wp-content/tmp/db/wp_posts.sql
path/wp-content/tmp/db/wp_comments.sql
path/wp-content/tmp/db/wp_postmeta.sql
filenameclass-ocm-backup.php
yara
contains_all(body, "CREATE TABLE", "INSERT INTO", "DROP TABLE") and contains(content_type, "application/sql") and status_code == 200
  • Unauthenticated HTTP GET requests to /wp-content/tmp/db/<table>.sql paths (e.g., wp_users.sql, wp_usermeta.sql) during an active backup window indicate exploitation attempts. Response body containing 'CREATE TABLE', 'INSERT INTO', and 'DROP TABLE' with Content-Type 'application/sql' and HTTP 200 confirms successful exposure.
  • The vulnerable backup files are only accessible during a short window while the backup is in process; monitor for unauthenticated access to /wp-content/tmp/db/*.sql paths.
  • FOFA fingerprinting query for identifying exposed instances of the vulnerable plugin.
  • ·Exploitation is only possible during a short time window while the backup is actively being created; the SQL dump files are transiently exposed and may not be present at other times.
  • ·The vulnerability affects all plugin versions up to and including 2.2; version 2.3 and above are remediated.

CVSS provenance

nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.