Import any XML or CSV File to WordPress <= 3.2.3 - RCE
| Description | WP All Import does not properly verify that a user has permission to execute functions. Coupled with an interesting method that allows arbitrary functions in specific objects to be called allows this to be leveraged in many ways. |
Affects Plugin
|
fixed in version 3.2.4
|
References
| PACKETSTORM | 130596 |
| URL | http://www.wpallimport.com/2015/02/wp-import-4-1-1-mandatory-security-update/ |
| URL | http://www.pritect.net/blog/wp-all-import-vulnerability |
Classification
| Type | RCE |
| OWASP Top 10 | A1: Injection |
| CWE | CWE-94 |
Miscellaneous
| Submitter | James Golovich |
| Submitter Website | http://www.pritect.net |
| Views | 2001 |
| Verified | No |
| WPVDB ID | 7809 |
Timeline
| Publicly Published | 2015-02-26 (almost 4 years ago) |
| Added | 2015-02-26 (almost 4 years ago) |
| Last Updated | 2017-10-17 (over 1 year ago) |
Copyright & License
| Copyright | All data and resources contained within this page and this web site is Copyright © The WPScan Team. |
| License | Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us. |
