CVE-2026-49043

Vulnerability

The WP Migrate Lite plugin for WordPress versions up to and including 2.7.8 contains an unauthenticated Cross-Site Request Forgery (CSRF) vulnerability. This allows a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. The vulnerability does not require authentication to trigger, but successful exploitation requires a privileged user to perform an action such as clicking a malicious link or visiting a crafted page. [1]

Exploitation

An attacker can craft a malicious link or page that, when visited by an authenticated administrator or other privileged user, triggers a forged request to the WP Migrate Lite plugin. The attacker does not need any prior authentication or special privileges. The victim must be logged into WordPress and interact with the attacker's crafted content (e.g., click a link). The CSRF can target any action that the victim is authorized to perform within the plugin. [1]

Impact

Successful exploitation allows the attacker to perform unauthorized actions on the victim's WordPress site, such as modifying migration settings, initiating database migrations, or other plugin-specific operations, all under the victim's authenticated session. The impact is limited to the privileges of the victim user, typically an administrator. The CVSS score is 4.7 (Medium), and the vulnerability is considered low severity and unlikely to be exploited in mass campaigns. [1]

Mitigation

The vulnerability is fixed in version 2.7.9 of the WP Migrate Lite plugin. Users should update to this version or later. Patchstack users can enable auto-update for vulnerable plugins. If unable to update, users should ask their hosting provider or web developer for assistance. No other workarounds are mentioned in the available reference. [1]