CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36386 – WordPress Import any XML or CSV File to WordPress plugin <= 3.6.7 - Authenticated Arbitrary Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2022-36386
Authenticated Arbitrary Code Execution vulnerability in Soflyy Import any XML or CSV File to WordPress plugin <= 3.6.7 at WordPress. Una vulnerabilidad de Ejecución de Código Arbitrario Autenticado en el plugin Soflyy Import any XML or CSV File to WordPress versiones anteriores a 3.6.7 incluyéndola, en WordPress The WP All Import plugin for WordPress is vulnerable to arbitrary code execution in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator-level permissions and above, to execute arbitrary code. • https://patchstack.com/database/vulnerability/wp-all-import/wordpress-import-any-xml-or-csv-file-to-wordpress-plugin-3-6-7-authenticated-arbitrary-code-execution-vulnerability https://wordpress.org/plugins/wp-all-import/#developers • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24714 – WP All Import < 3.6.3 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24714
The Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfiltered_html capability is disallowed. El plugin Import any XML or CSV File to de WordPress versiones anteriores a 3.6.3, no escapa de los campos Title y Unique Identifier de la importación antes de mostrarlos en las páginas de administración, que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site incluso cuando la capacidad unfiltered_html no está permitida • https://wpscan.com/vulnerability/a8d314b9-26ac-4b56-a85c-a2528e55e73a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-9331 – Import any XML or CSV File to WordPress <= 3.2.3 & PRO < 4.1.1 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2015-9331
The wp-all-import plugin before 3.2.4 for WordPress has no prevention of unauthenticated requests to adminInit. El plugin wp-all-import antes de 3.2.4 para WordPress no tiene prevención de solicitudes no autenticadas a adminInit. • https://wordpress.org/plugins/wp-all-import/#developers • CWE-254: 7PK - Security Features CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-16259
https://notcve.org/view.php?id=CVE-2018-16259
There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via pmxi-admin-settings large_feed_limit. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator Existe una vulnerabilidad Cross-Site Scripting (XSS) en el plugin WP All Import versión 3.4.9 para WordPress mediante pmxi-admin-settings large_feed_limit.NOTA: El proveedor declara que esto no es una vulnerabilidad. WP All Import solo puede ser utilizado por un administrador que ha iniciado sesión, y la acción descrita solo puede ser aprovechada por un administrador que ha iniciado sesión. • https://ansawaf.blogspot.com/2019/04/xss-in-import-any-xml-or-csv-file-for.html https://docs.google.com/document/d/1Lfk0YQMIhlMCOOvVRX8HkU6C50s9QSW7C-9gnNmzsHY/edit?usp=sharing • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-16258
https://notcve.org/view.php?id=CVE-2018-16258
There is an XSS vulnerability in WP All Import plugin 3.4.9 for WordPress via pmxi-admin-import custom_type. NOTE: The vendor states that this is not a vulnerability. WP All Import is only able to be used by a logged in administrator, and the action described can only be taken advantage of by a logged in administrator ** EN DISPUTA ** Vulnerabilidad de Cross-Site Scripting (XSS) en el plugin WP All Import versión 3.4.9 para WordPress mediante pmxi-admin-import custom_type.NOTA: El proveedor declara que esto no es una vulnerabilidad. WP All Import solo puede ser utilizado por un administrador que ha iniciado sesión, y la acción descrita solo puede ser aprovechada por un administrador que ha iniciado sesión. • https://ansawaf.blogspot.com/2019/04/xss-in-import-any-xml-or-csv-file-for.html https://docs.google.com/document/d/1Lfk0YQMIhlMCOOvVRX8HkU6C50s9QSW7C-9gnNmzsHY/edit?usp=sharing • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •