Import All Pages Post Types Products Orders And Users As Xml Csv
CVE-2022-1977
HIGH
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
The Import Export All WordPress Images, Users & Post Types WordPress plugin before 6.5.3 does not fully validate the file to be imported via an URL before making an HTTP request to it, which could allow high privilege users such as admin to perform Blind SSRF attacks
AnalysisAI
The Import Export All WordPress Images, Users & Post Types WordPress plugin before 6.5.3 does not fully validate the file to be imported via an URL before making an HTTP request to it, which could. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. The Import Export All WordPress Images, Users & Post Types WordPress plugin before 6.5.3 does not fully validate the file to be imported via an URL before making an HTTP request to it, which could allow high privilege users such as admin to perform Blind SSRF attacks Affected products include: Smackcoders Import All Pages\, Post Types\, Products\, Orders\, And Users As Xml \& Csv. Version information: before 6.5.3.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.
The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not properly sanitise and escape imported data before u
The Easy Drag And drop All Import : WP Ultimate CSV Importer WordPress plugin before 6.4.3 does not sanitise and escaped
The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not have authorisation in some places, which could allo
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today