Import any XML or CSV File to WordPress <= 3.2.3 - RCE
| Description | WP All Import does not properly verify that a user has permission to execute functions. Coupled with an interesting method that allows arbitrary functions in specific objects to be called allows this to be leveraged in many ways. |
Affects Plugin
|
fixed in version 3.2.4
|
References
| CVE | 2015-9331 |
| PACKETSTORM | 130596 |
| URL | http://www.wpallimport.com/2015/02/wp-import-4-1-1-mandatory-security-update/ |
| URL | http://www.pritect.net/blog/wp-all-import-vulnerability |
Classification
| Type | RCE |
| OWASP Top 10 | A1: Injection |
| CWE | CWE-94 |
Miscellaneous
| Submitter | James Golovich |
| Submitter Website | http://www.pritect.net |
| Views | 4286 |
| Verified | No |
| WPVDB ID | 7809 |
Timeline
| Publicly Published | 2015-02-26 (over 4 years ago) |
| Added | 2015-02-26 (over 4 years ago) |
| Last Updated | 2019-10-21 (27 days ago) |
Our Other Services
| Online WordPress Vulnerability Scanner | WPScan WordPress Security Plugin |
