Skip to main content

Wp Import Export Lite

5 CVEs product

Monthly

CVE-2026-11397 MEDIUM This Month

Server-Side Request Forgery in WP Import Export Lite (all versions ≤ 3.9.30) allows authenticated administrators to bypass WordPress's native SSRF protections and reach internal network resources, including cloud instance metadata endpoints. The bypass exploits a design flaw: when WordPress's wp_safe_remote_get() correctly blocks a private-range URL and returns a WP_Error, the plugin's Download::download_file() method interprets that error as a cue to retry the original attacker-supplied URL via GuzzleHttp with no filtering and TLS verification disabled. No public exploit is identified at time of analysis and no CISA KEV listing exists, but the cloud credential theft scenario on hosted WordPress environments elevates practical impact beyond the 5.5 base score.

WordPress SSRF Wp Import Export Lite
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-6207 HIGH PATCH This Week

The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_tempalte_import' function in all versions up to, and including,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress RCE File Upload Wp Import Export Lite PHP
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-5061 HIGH PATCH This Month

The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_parse_upload_data' function in all versions up to, and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress RCE File Upload Wp Import Export Lite PHP
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-2839 MEDIUM PATCH This Month

The WP Import Export Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpiePreviewData’ function in all versions up to, and including, 3.9.27 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Wp Import Export Lite PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-31308 MEDIUM This Month

Deserialization of Untrusted Data vulnerability in VJInfotech WP Import Export Lite.9.26. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization Wp Import Export Lite
NVD
CVSS 3.1
4.4
EPSS
0.2%
EPSS 0% CVSS 5.5
MEDIUM This Month

Server-Side Request Forgery in WP Import Export Lite (all versions ≤ 3.9.30) allows authenticated administrators to bypass WordPress's native SSRF protections and reach internal network resources, including cloud instance metadata endpoints. The bypass exploits a design flaw: when WordPress's wp_safe_remote_get() correctly blocks a private-range URL and returns a WP_Error, the plugin's Download::download_file() method interprets that error as a cue to retry the original attacker-supplied URL via GuzzleHttp with no filtering and TLS verification disabled. No public exploit is identified at time of analysis and no CISA KEV listing exists, but the cloud credential theft scenario on hosted WordPress environments elevates practical impact beyond the 5.5 base score.

WordPress SSRF Wp Import Export Lite
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_tempalte_import' function in all versions up to, and including,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress RCE File Upload +2
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Month

The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_parse_upload_data' function in all versions up to, and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress RCE File Upload +2
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

The WP Import Export Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpiePreviewData’ function in all versions up to, and including, 3.9.27 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Wp Import Export Lite +1
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Deserialization of Untrusted Data vulnerability in VJInfotech WP Import Export Lite.9.26. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

Deserialization Wp Import Export Lite
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy