Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
PR:L reflects mandatory Author-level authentication; S:C applies because server-side requests escape the WordPress application boundary into internal infrastructure.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Advanced Import plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.6. This is due to the plugin using wp_remote_get() to fetch a user-supplied URL without validating that the URL does not point to internal or private network resources in the demo_download_and_unzip() function. The 'demo_file' parameter from $_POST is passed through sanitize_text_field() (which only handles XSS-related sanitization) and then directly into wp_remote_get() when 'demo_file_type' is set to 'url'. Notably, the plugin uses wp_safe_remote_get() in other locations (theme template libraries) which would provide SSRF protection, but fails to use it in this critical AJAX handler. This makes it possible for authenticated attackers, with Author-level access and above (upload_files capability), to make web requests to arbitrary locations originating from the web application, which can be used to query and view data from internal services, including cloud instance metadata endpoints.
AnalysisAI
Server-Side Request Forgery in the Advanced Import WordPress plugin (all versions through 1.4.6) allows authenticated users holding Author-level access or higher to force the web server to issue HTTP requests to arbitrary internal or external URLs via the demo_download_and_unzip() AJAX handler. The critical design flaw is the inconsistent use of wp_remote_get() instead of WordPress's own wp_safe_remote_get() - which the plugin correctly employs elsewhere - meaning no SSRF-aware URL validation is applied to the 'demo_file' POST parameter when 'demo_file_type' is set to 'url'. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active, authenticated WordPress session with the upload_files capability - this corresponds to Author role or higher (Author, Editor, Administrator). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects a moderate-severity SSRF with a scope change - the S:C metric is justified because the server's outbound request capability crosses the application trust boundary into internal network infrastructure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding an Author-level WordPress account - obtained through registration, credential stuffing, or account takeover - sends a crafted POST request to admin-ajax.php invoking the demo_download_and_unzip handler with demo_file_type set to 'url' and demo_file set to http://169.254.169.254/latest/meta-data/iam/security-credentials/. The WordPress server fetches this URL from its own network context, returning cloud instance IAM role credentials to the attacker's session response. … |
| Remediation | The upstream fix has been committed to the WordPress plugin SVN repository as changeset 3566433; however, no specific released patched version number is independently confirmed from the available reference data - site operators should verify whether a version newer than 1.4.6 is available in the WordPress plugin directory and upgrade immediately upon confirmation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Advanced Import
View allSame weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37984
GHSA-qvcr-v37j-859c