Cyber Posture

CVE-2024-13609

Medium

Published: 18 February 2025

Published
18 February 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.1770 95.2th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13609 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in 1Clickmigration 1 Click Migration. Its CVSS base score is 5.9 (Medium).

Operationally, ranked in the top 4.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AU-13 (Monitoring for Information Disclosure).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely remediation via the available patch in WordPress plugin changeset 3372639 directly corrects the flaw in class-ocm-backup.php that exposes sensitive data during backups.

AC-22 Publicly Accessible Content good match
prevent

Restricts publication of sensitive backup content on publicly accessible WordPress systems, preventing unauthenticated extraction of usernames and password hashes.

AU-13 Monitoring for Information Disclosure good match
detect

Monitors for unauthorized disclosure of sensitive information like usernames and password hashes during the backup process window.

NVD Description

The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2 via the class-ocm-backup.php. This makes it possible for unauthenticated attackers…

more

to extract sensitive data including usernames and their respective password hashes during a short window of time in which the backup is in process.

Deeper analysisAI

CVE-2024-13609 is a sensitive information exposure vulnerability (CWE-200) affecting the 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress, in all versions up to and including 2.2. The flaw is located in the class-ocm-backup.php component and has a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating network accessibility with high attack complexity but high confidentiality impact.

Unauthenticated attackers can exploit the vulnerability during a short window of time while a backup process is active, enabling them to extract sensitive data such as usernames and their corresponding password hashes from the plugin.

Advisories from Wordfence provide further details on the vulnerability, while a patch is available in WordPress plugin changeset 3372639. The affected source code in class-ocm-backup.php can be reviewed via the plugin's Trac browser.

Details

CWE(s)
CWE-200NVD-CWE-noinfo

Affected Products

1clickmigration
1 click migration
≤ 2.1

CVEs Like This One

CVE-2026-24870Shared CWE-200
CVE-2026-4020Shared CWE-200
CVE-2025-21620Shared CWE-200
CVE-2025-62188Shared CWE-200
CVE-2024-13562Shared CWE-200
CVE-2024-57716Shared CWE-200
CVE-2026-27161Shared CWE-200
CVE-2026-21260Shared CWE-200
CVE-2025-24102Shared CWE-200
CVE-2024-12142Shared CWE-200

References