Skip to main content

WP Import Export Lite CVE-2026-11397

| EUVDEUVD-2026-41489 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-03 Wordfence GHSA-w7wg-w2g9-vmjq
5.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.5 MEDIUM

Admin authentication required (PR:H), network-accessible AJAX endpoint (AV:N), scope changes to internal services reachable from server (S:C), with limited confidentiality and integrity impact only.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 05:46 vuln.today
CVE Published
Jul 03, 2026 - 04:30 cve.org
MEDIUM 5.5

DescriptionCVE.org

The WP Import Export Lite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to and including 3.9.30 via the wpie_import_upload_file_from_url AJAX action. The plugin's URL downloader first calls wp_safe_remote_get() (which correctly blocks private/reserved IP ranges), but when that call returns a WP_Error - the exact outcome for any blocked internal host - the Download::download_file() method falls back to GuzzleHttp\Client::request() with the original attacker-supplied URL and no SSRF protection (and with TLS verification disabled). This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services such as the cloud metadata endpoint at 169.

AnalysisAI

Server-Side Request Forgery in WP Import Export Lite (all versions ≤ 3.9.30) allows authenticated administrators to bypass WordPress's native SSRF protections and reach internal network resources, including cloud instance metadata endpoints. The bypass exploits a design flaw: when WordPress's wp_safe_remote_get() correctly blocks a private-range URL and returns a WP_Error, the plugin's Download::download_file() method interprets that error as a cue to retry the original attacker-supplied URL via GuzzleHttp with no filtering and TLS verification disabled. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as WordPress administrator
Delivery
Submit crafted AJAX URL import request targeting internal host (e.g., 169.254.169.254)
Exploit
wp_safe_remote_get() blocks private-range URL and returns WP_Error
Execution
Plugin fallback invokes Guzzle HTTP client with original URL and no SSRF protection
Persist
Guzzle fetches internal resource with TLS verification disabled
Impact
Attacker receives sensitive internal service response (e.g., cloud IAM credentials)

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress account with administrator-level access or higher, as confirmed by the CVSS PR:H metric - subscriber, contributor, editor, or author roles cannot trigger this AJAX action. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N reflects a network-accessible, low-complexity attack requiring high-privilege authentication, with a scope change to downstream internal systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A WordPress administrator, or an attacker who has obtained admin credentials through phishing or credential stuffing, sends a crafted authenticated AJAX POST to wpie_import_upload_file_from_url with the URL parameter set to http://169.254.169.254/latest/meta-data/iam/security-credentials/my-role. WordPress's wp_safe_remote_get() correctly blocks the link-local address and returns a WP_Error; the plugin's fallback logic then reissues the same request via GuzzleHttp with no IP filtering and TLS verification disabled, and the cloud metadata service returns the IAM role's temporary access key, secret, and session token to the attacker. …
Remediation An upstream fix has been committed to the plugin's WordPress.org trunk (revision 3587811, viewable at the trunk download.php Trac reference), but a specific released patched version number beyond 3.9.30 is not confirmed in the available data - administrators should monitor the WordPress.org plugin page and apply any update above 3.9.30 as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11397 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy