CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2268 – WP All Import < 3.6.8 - Admin+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2022-2268
The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE El plugin Import any XML or CSV File to de WordPress versiones anteriores a 3.6.8, acepta todos los archivos zip y extrae automáticamente el archivo zip sin validar el tipo de archivo extraído. Permitiendo a usuarios con altos privilegios, como el administrador, subir un archivo arbitrario como PHP, conllevando a un RCE • https://wpscan.com/vulnerability/578093db-a025-4148-8c4b-ec2df31743f7 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36386 – WordPress Import any XML or CSV File to WordPress plugin <= 3.6.7 - Authenticated Arbitrary Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2022-36386
Authenticated Arbitrary Code Execution vulnerability in Soflyy Import any XML or CSV File to WordPress plugin <= 3.6.7 at WordPress. Una vulnerabilidad de Ejecución de Código Arbitrario Autenticado en el plugin Soflyy Import any XML or CSV File to WordPress versiones anteriores a 3.6.7 incluyéndola, en WordPress The WP All Import plugin for WordPress is vulnerable to arbitrary code execution in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator-level permissions and above, to execute arbitrary code. • https://patchstack.com/database/vulnerability/wp-all-import/wordpress-import-any-xml-or-csv-file-to-wordpress-plugin-3-6-7-authenticated-arbitrary-code-execution-vulnerability https://wordpress.org/plugins/wp-all-import/#developers • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1800 – Export any WordPress data to XML/CSV < 1.3.5 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2022-1800
The Export any WordPress data to XML/CSV WordPress plugin before 1.3.5 does not sanitize the cpt POST parameter when exporting post data before using it in a database query, leading to an SQL injection vulnerability. El plugin Export any WordPress data to XML/CSV de WordPress versiones anteriores a 1.3.5, no sanea el parámetro cpt POST cuando son exportados los datos de la entrada antes de usarlos en una consulta a la base de datos, conllevando a una vulnerabilidad de inyección SQL • https://wpscan.com/vulnerability/4267109c-0ca2-441d-889d-fb39c235f128 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24714 – WP All Import < 3.6.3 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24714
The Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfiltered_html capability is disallowed. El plugin Import any XML or CSV File to de WordPress versiones anteriores a 3.6.3, no escapa de los campos Title y Unique Identifier de la importación antes de mostrarlos en las páginas de administración, que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site incluso cuando la capacidad unfiltered_html no está permitida • https://wpscan.com/vulnerability/a8d314b9-26ac-4b56-a85c-a2528e55e73a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-9331 – Import any XML or CSV File to WordPress <= 3.2.3 & PRO < 4.1.1 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2015-9331
The wp-all-import plugin before 3.2.4 for WordPress has no prevention of unauthenticated requests to adminInit. El plugin wp-all-import antes de 3.2.4 para WordPress no tiene prevención de solicitudes no autenticadas a adminInit. • https://wordpress.org/plugins/wp-all-import/#developers • CWE-254: 7PK - Security Features CWE-862: Missing Authorization •