CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36386 – WordPress Import any XML or CSV File to WordPress plugin <= 3.6.7 - Authenticated Arbitrary Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2022-36386
Authenticated Arbitrary Code Execution vulnerability in Soflyy Import any XML or CSV File to WordPress plugin <= 3.6.7 at WordPress. Una vulnerabilidad de Ejecución de Código Arbitrario Autenticado en el plugin Soflyy Import any XML or CSV File to WordPress versiones anteriores a 3.6.7 incluyéndola, en WordPress The WP All Import plugin for WordPress is vulnerable to arbitrary code execution in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator-level permissions and above, to execute arbitrary code. • https://patchstack.com/database/vulnerability/wp-all-import/wordpress-import-any-xml-or-csv-file-to-wordpress-plugin-3-6-7-authenticated-arbitrary-code-execution-vulnerability https://wordpress.org/plugins/wp-all-import/#developers • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24714 – WP All Import < 3.6.3 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24714
The Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfiltered_html capability is disallowed. El plugin Import any XML or CSV File to de WordPress versiones anteriores a 3.6.3, no escapa de los campos Title y Unique Identifier de la importación antes de mostrarlos en las páginas de administración, que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site incluso cuando la capacidad unfiltered_html no está permitida • https://wpscan.com/vulnerability/a8d314b9-26ac-4b56-a85c-a2528e55e73a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-9331 – Import any XML or CSV File to WordPress <= 3.2.3 & PRO < 4.1.1 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2015-9331
The wp-all-import plugin before 3.2.4 for WordPress has no prevention of unauthenticated requests to adminInit. El plugin wp-all-import antes de 3.2.4 para WordPress no tiene prevención de solicitudes no autenticadas a adminInit. • https://wordpress.org/plugins/wp-all-import/#developers • CWE-254: 7PK - Security Features CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0546 – WP All Import <= 3.4.5 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-0546
Cross-site scripting vulnerability in WP All Import plugin prior to version 3.4.6 for WordPress allows an attacker to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de Cross-Site Scripting (XSS) en el plugin WP All Import, en versiones anteriores a la 3.4.6 para WordPress, permite que los atacantes inyecten scripts web o HTML arbitrarios utilizando vectores no especificados. • https://jvn.jp/en/jp/JVN33527174/index.html https://plugins.trac.wordpress.org/changeset/1742744 https://wordpress.org/plugins/wp-all-import/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0547 – WP All Import <= 3.4.6 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-0547
Cross-site scripting vulnerability in WP All Import plugin prior to version 3.4.7 for WordPress allows an attacker to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de Cross-Site Scripting (XSS) en el plugin WP All Import, en versiones anteriores a la 3.4.7 para WordPress, permite que los atacantes inyecten scripts web o HTML arbitrarios utilizando vectores no especificados. • https://jvn.jp/en/jp/JVN60032768/index.html https://plugins.trac.wordpress.org/changeset/1827741 https://wordpress.org/plugins/wp-all-import/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •