Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Admin authentication required (PR:H), network-accessible AJAX endpoint (AV:N), scope changes to internal services reachable from server (S:C), with limited confidentiality and integrity impact only.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The WP Import Export Lite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to and including 3.9.30 via the wpie_import_upload_file_from_url AJAX action. The plugin's URL downloader first calls wp_safe_remote_get() (which correctly blocks private/reserved IP ranges), but when that call returns a WP_Error - the exact outcome for any blocked internal host - the Download::download_file() method falls back to GuzzleHttp\Client::request() with the original attacker-supplied URL and no SSRF protection (and with TLS verification disabled). This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services such as the cloud metadata endpoint at 169.
AnalysisAI
Server-Side Request Forgery in WP Import Export Lite (all versions ≤ 3.9.30) allows authenticated administrators to bypass WordPress's native SSRF protections and reach internal network resources, including cloud instance metadata endpoints. The bypass exploits a design flaw: when WordPress's wp_safe_remote_get() correctly blocks a private-range URL and returns a WP_Error, the plugin's Download::download_file() method interprets that error as a cue to retry the original attacker-supplied URL via GuzzleHttp with no filtering and TLS verification disabled. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress account with administrator-level access or higher, as confirmed by the CVSS PR:H metric - subscriber, contributor, editor, or author roles cannot trigger this AJAX action. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N reflects a network-accessible, low-complexity attack requiring high-privilege authentication, with a scope change to downstream internal systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A WordPress administrator, or an attacker who has obtained admin credentials through phishing or credential stuffing, sends a crafted authenticated AJAX POST to wpie_import_upload_file_from_url with the URL parameter set to http://169.254.169.254/latest/meta-data/iam/security-credentials/my-role. WordPress's wp_safe_remote_get() correctly blocks the link-local address and returns a WP_Error; the plugin's fallback logic then reissues the same request via GuzzleHttp with no IP filtering and TLS verification disabled, and the cloud metadata service returns the IAM role's temporary access key, secret, and session token to the attacker. … |
| Remediation | An upstream fix has been committed to the plugin's WordPress.org trunk (revision 3587811, viewable at the trunk download.php Trac reference), but a specific released patched version number beyond 3.9.30 is not confirmed in the available data - administrators should monitor the WordPress.org plugin page and apply any update above 3.9.30 as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wp Import Export Lite
View allThe WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validati
The WP Import Export Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpiePreviewData’ fu
Deserialization of Untrusted Data vulnerability in VJInfotech WP Import Export Lite.9.26. Rated medium severity (CVSS 4.
The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validati
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41489
GHSA-w7wg-w2g9-vmjq