CVE-2022-2546
Published: 02 February 2023
Summary
CVE-2022-2546 is a medium-severity an unspecified weakness vulnerability in Servmask All-In-One Wp Migration. Its CVSS base score is 4.7 (Medium).
Operationally, ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The All-in-One WP Migration WordPress plugin before version 7.63 is affected by an improper output handling issue in the ai1wm_export AJAX action. The plugin uses an incorrect content type and fails to escape the server response, enabling injection of arbitrary HTML or JavaScript that executes in the context of a visitor's session. Exploitation requires knowledge of a static secret key and carries a CVSS 4.7 rating reflecting network attack vector, high complexity, no privileges, and required user interaction.
An attacker who knows the secret key can craft a malicious request to the AJAX endpoint. When any site visitor submits or triggers that request, the injected script runs in the visitor's browser session, allowing limited impacts such as data theft or session manipulation within the affected page context.
The referenced WPScan advisory at https://wpscan.com/vulnerability/f84920e4-a1fe-47cf-9ba5-731989c70f58 identifies the flaw and notes the fixed version.
EPSS for this CVE rose from a low baseline to a peak of 0.5455 on 2025-12-11 before receding to the current value of 0.1621, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-34800
Vulnerability details
The All-in-One WP Migration WordPress plugin before 7.63 uses the wrong content type, and does not properly escape the response from the ai1wm_export AJAX action, allowing an attacker to craft a request that when submitted by any visitor will inject…
more
arbitrary html or javascript into the response that will be executed in the victims session. Note: This requires knowledge of a static secret key
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.