WP All Import Pro <= 4.1.0 - RCE



Description
WP All Import does not properly verify that a user has permission to execute functions.  Coupled with an interesting method that allows arbitrary functions in specific objects to be called allows this to be leveraged in many ways.

Affects Plugin

fixed in version 4.1.1

References

URL http://www.wpallimport.com/2015/02/wp-import-4-1-1-mandatory-security-update/
URL http://www.pritect.net/blog/wp-all-import-vulnerability

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Submitter ethicalhack3r
Submitter Website https://dewhurstsecurity.com/
Submitter Twitter ethicalhack3r
Views 4187
Verified No
WPVDB ID 7810

Timeline

Publicly Published 2015-02-26 (over 4 years ago)
Added 2015-02-26 (over 4 years ago)
Last Updated 2015-05-15 (about 4 years ago)