CVE-2026-5753
Description
The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the 'Ai1wmve_Schedules_Controller::save' handler for 'admin_post_ai1wm_schedule_event_save' not verifying user capabilities before saving schedule data. This makes it possible for authenticated attackers, with subscriber-level access and above, to create scheduled export jobs and send backup notifications to attacker-controlled email addresses. Because such notifications include the random backup filename, full site backups can subsequently be downloaded from the target site, resulting in sensitive information exposure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The All-in-One WP Migration Unlimited Extension plugin <=2.83 lacks authorization checks, allowing subscribers to create scheduled exports and leak backup filenames, enabling full site backup downloads.
Missing
Authorization in Schedule Controller
The All-in-One WP Migration Unlimited Extension plugin for WordPress, up to version 2.83, contains a missing authorization vulnerability in the Ai1wmve_Schedules_Controller::save handler. The handler for the admin_post_ai1wm_schedule_event_save action does not verify user capabilities before saving schedule data, allowing any authenticated user with subscriber-level access or higher to create scheduled export jobs [1].
Exploitation and
Attack Surface
An attacker who is authenticated as a subscriber (or higher) can craft a request to the vulnerable endpoint to create a scheduled backup event. The plugin then sends backup notifications to email addresses specified by the attacker. These notifications include the random backup filename, which is otherwise not publicly accessible [1].
Impact
With the backup filename in hand, the attacker can directly download the full site backup from the target WordPress installation. This exposes all site data, including database contents, uploaded files, and configuration details, leading to sensitive information exposure [1].
Mitigation
The vendor addressed this issue in version 2.84 of the Unlimited Extension, released on April 16, 2026, which fixed the permission issue in the settings form [1]. Users are strongly advised to update to version 2.84 or later.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=2.83+ 1 more
- (no CPE)range: <=2.83
- (no CPE)range: <=2.83
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 4, 2026 to May 10, 2026)Wordfence Blog · May 14, 2026