Advanced Import
Monthly
Server-Side Request Forgery in the Advanced Import WordPress plugin (all versions through 1.4.6) allows authenticated users holding Author-level access or higher to force the web server to issue HTTP requests to arbitrary internal or external URLs via the demo_download_and_unzip() AJAX handler. The critical design flaw is the inconsistent use of wp_remote_get() instead of WordPress's own wp_safe_remote_get() - which the plugin correctly employs elsewhere - meaning no SSRF-aware URL validation is applied to the 'demo_file' POST parameter when 'demo_file_type' is set to 'url'. No public exploit code has been identified at time of analysis, but the scope change in the CVSS vector reflects that successful exploitation escapes the WordPress application boundary and can reach internal network services, including cloud instance metadata endpoints such as AWS IMDSv1.
The Advanced Import WordPress plugin before 1.3.8 does not have CSRF check when installing and activating plugins, which could allow attackers to make a logged in admin install arbitrary plugins from. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Server-Side Request Forgery in the Advanced Import WordPress plugin (all versions through 1.4.6) allows authenticated users holding Author-level access or higher to force the web server to issue HTTP requests to arbitrary internal or external URLs via the demo_download_and_unzip() AJAX handler. The critical design flaw is the inconsistent use of wp_remote_get() instead of WordPress's own wp_safe_remote_get() - which the plugin correctly employs elsewhere - meaning no SSRF-aware URL validation is applied to the 'demo_file' POST parameter when 'demo_file_type' is set to 'url'. No public exploit code has been identified at time of analysis, but the scope change in the CVSS vector reflects that successful exploitation escapes the WordPress application boundary and can reach internal network services, including cloud instance metadata endpoints such as AWS IMDSv1.
The Advanced Import WordPress plugin before 1.3.8 does not have CSRF check when installing and activating plugins, which could allow attackers to make a logged in admin install arbitrary plugins from. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.