The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-5753

CVE-2026-5753: WordPress Migration Plugin Auth Bypass Flaw

CVE-2026-5753 is an authorization bypass vulnerability in the All-in-One WP Migration Unlimited Extension plugin for WordPress. Attackers can create scheduled exports and steal full site backups, exposing sensitive data.

Published: May 7, 2026

CVE-2026-5753 Overview

CVE-2026-5753 is a Missing Authorization vulnerability [CWE-862] in the All-in-One WP Migration Unlimited Extension plugin for WordPress. The flaw affects all versions up to and including 2.83. The Ai1wmve_Schedules_Controller::save handler bound to admin_post_ai1wm_schedule_event_save does not verify user capabilities before saving schedule data. Authenticated users with subscriber-level access or higher can create scheduled export jobs and direct backup notifications to attacker-controlled email addresses. Because those notifications include the random backup filename, attackers can subsequently download full site backups from the target. The result is sensitive information exposure across the entire WordPress installation.

Critical Impact

Subscriber-level users can exfiltrate full WordPress site backups by hijacking scheduled export notifications.

Affected Products

  • All-in-One WP Migration Unlimited Extension plugin for WordPress, versions up to and including 2.83
  • WordPress sites operated by ServMask using the Unlimited Extension
  • Any WordPress deployment allowing subscriber-level registration with this plugin enabled

Discovery Timeline

  • 2026-05-06 - CVE-2026-5753 published to NVD
  • 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2026-5753

Vulnerability Analysis

The vulnerability resides in the Ai1wmve_Schedules_Controller::save method, which is registered as the handler for the admin_post_ai1wm_schedule_event_save action. WordPress exposes admin_post_* actions to any authenticated user by default. The handler accepts schedule configuration data, including the destination email address for backup notifications, and persists it without checking whether the requester holds an administrator capability such as manage_options or export. This authorization gap converts a privileged administrative function into a feature reachable by any logged-in subscriber.

Once a malicious schedule is saved, the plugin generates a backup archive on its normal cadence and emails the notification to the attacker-supplied address. The notification body contains the random filename component used to obscure backup downloads. With that filename, the attacker reconstructs the public download URL and retrieves the entire WordPress backup, including database contents, user records, and uploaded files.

Root Cause

The root cause is a missing capability check inside the save handler. The function does not call current_user_can() or an equivalent guard before processing the request. WordPress nonce verification alone, when present, only proves request authenticity — it does not enforce role-based authorization. The randomized backup filename was treated as a security boundary, but exposing it through user-controlled email destinations defeats that obscurity-based control.

Attack Vector

The attacker first registers or obtains a subscriber-level account on the target site. They then submit an authenticated POST request to /wp-admin/admin-post.php with the action parameter set to ai1wm_schedule_event_save and a schedule payload that specifies an attacker-controlled notification email. After the next scheduled export runs, the attacker receives the email containing the backup filename and downloads the archive directly from the target host.

No verified public exploit code is available. Refer to the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2026-5753

Indicators of Compromise

  • POST requests to /wp-admin/admin-post.php with the action parameter equal to ai1wm_schedule_event_save originating from non-administrator accounts
  • Outbound backup notification emails sent to addresses outside the organization's known administrator list
  • Unexpected entries in the All-in-One WP Migration schedules table referencing unfamiliar email recipients
  • Web server access log entries showing downloads of .wpress backup archives from unauthenticated or unknown source IPs

Detection Strategies

  • Audit the WordPress options table for plugin schedule entries and correlate notification email fields against the approved administrator roster
  • Inspect web server access logs for admin-post.php requests where the requesting session belongs to a subscriber, contributor, or author role
  • Monitor outbound SMTP traffic from the WordPress host for backup notification subjects sent to external domains

Monitoring Recommendations

  • Alert on any HTTP request invoking ai1wm_schedule_event_save from sessions lacking the manage_options capability
  • Track creation and modification events on All-in-One WP Migration schedule records and review them during weekly access reviews
  • Forward WordPress and reverse proxy logs to a centralized SIEM and build a rule for retrieval of .wpress files from non-admin IP ranges

How to Mitigate CVE-2026-5753

Immediate Actions Required

  • Update the All-in-One WP Migration Unlimited Extension plugin to a version newer than 2.83 once the vendor publishes a fix per the ServMask changelog
  • Audit the WordPress user list and remove or downgrade unrecognized subscriber accounts
  • Review existing scheduled export jobs and delete any whose notification email is not owned by an administrator
  • Rotate WordPress administrator credentials and database secrets if backup exfiltration is suspected

Patch Information

ServMask maintains release notes for the Unlimited Extension at the ServMask Unlimited Extension Changelog. Apply the first vendor release that supersedes version 2.83 and explicitly references the missing authorization fix. Until that release is installed, treat the plugin as exposing a privileged action to all authenticated users.

Workarounds

  • Disable the All-in-One WP Migration Unlimited Extension plugin until a patched version is installed
  • Restrict access to /wp-admin/admin-post.php?action=ai1wm_schedule_event_save at the web server or WAF layer to administrator IP ranges
  • Disable open user registration and require manual approval for new accounts to limit subscriber-level attackers
  • Move existing backup archives off the public web root so leaked filenames cannot be retrieved over HTTP
bash
# Example NGINX rule to block the vulnerable handler from non-admin sources
location = /wp-admin/admin-post.php {
    if ($arg_action = "ai1wm_schedule_event_save") {
        allow 203.0.113.0/24;   # admin office range
        deny all;
    }
    include fastcgi_params;
    fastcgi_pass php-upstream;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechWordpress
  • SeverityMEDIUM
  • CVSS Score6.5
  • EPSS Probability0.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-862
  • Technical References
  • Servmask Changelog Guide
  • Wordfence Vulnerability Report
  • Related CVEs
  • CVE-2026-6214: Forminator Forms Auth Bypass Vulnerability
  • CVE-2026-4807: WordPress Appointment Booking Auth Bypass
  • CVE-2026-32834: WordPress PayPal Plugin Auth Bypass Flaw
  • CVE-2026-4024: Royal Addons Auth Bypass Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English