CVE-2022-1476 MEDIUM

CVE-2022-1476: All-in-One WP Migration <= 7.58 - Directory Traversal to File Deletion on Windows Hosts

Vendor Servmask
Product All-in-One WP Migration and Backup
Weakness CWE-22 · Path traversal
Published May 10, 2022
Last update April 8, 2026

CVSS base score

6.6/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The All-in-One WP Migration plugin for WordPress is vulnerable to arbitrary file deletion via directory traversal due to insufficient file validation via the ~/lib/model/class-ai1wm-backups.php file, in versions up to, and including, 7.58. This can be exploited by administrative users, and users who have access to the site's secret key.

Key dates

02Disclosure timeline

May 10, 2022 CVE published
April 8, 2026 Record updated