Import any XML or CSV File to WordPress <= 3.2.3 - RCE
| Description | WP All Import does not properly verify that a user has permission to execute functions. Coupled with an interesting method that allows arbitrary functions in specific objects to be called allows this to be leveraged in many ways. |
Affects Plugin
|
fixed in version 3.2.4
|
References
| PACKETSTORM | 130596 |
| URL | http://www.wpallimport.com/2015/02/wp-import-4-1-1-mandatory-security-update/ |
| URL | http://www.pritect.net/blog/wp-all-import-vulnerability |
Classification
| Type | RCE |
| OWASP Top 10 | A1: Injection |
| CWE | CWE-94 |
Miscellaneous
| Submitter | James Golovich |
| Submitter Website | http://www.pritect.net |
| Views | 3939 |
| Verified | No |
| WPVDB ID | 7809 |
Timeline
| Publicly Published | 2015-02-26 (over 4 years ago) |
| Added | 2015-02-26 (over 4 years ago) |
| Last Updated | 2017-10-17 (almost 2 years ago) |
