3 results (0.003 seconds)

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1

The Import XML and RSS Feeds WordPress plugin before 2.1.4 does not filter file extensions for uploaded files, allowing an attacker to upload a malicious PHP file, leading to Remote Code Execution. El complemento de WordPress Import XML y RSS Feeds anterior a 2.1.4 no filtra las extensiones de archivos para los archivos cargados, lo que permite a un atacante cargar un archivo PHP malicioso, lo que lleva a la ejecución remota de código. The Import XML and RSS Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moove_save_import_template() function in versions up to, and including, 2.1.3. This makes it possible for authenticated attackers with administrative-level access to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1

The Import XML and RSS Feeds WordPress plugin before 2.1.5 contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) and not deleting the created files when releasing the new version. El complemento de WordPress Import XML and RSS Feeds anterior a 2.1.5 contiene un shell web que permite a atacantes no autenticados realizar RCE. El complemento/proveedor no se vio comprometido y los archivos son el resultado de ejecutar una PoC para un problema informado anteriormente (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) y no eliminar los archivos creados cuando lanzando la nueva versión. The Import XML and RSS Feeds for WordPress is vulnerable to remote code execution in versions up to, and including, 2.1.4. • https://wpscan.com/vulnerability/de2cdb38-3a9f-448e-b564-a798d1e93481 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 9.1EPSS: 33%CPEs: 1EXPL: 1

Server-side request forgery (SSRF) in the Import XML and RSS Feeds (import-xml-feed) plugin 2.0.1 for WordPress via the data parameter in a moove_read_xml action. Una vulnerabilidad de tipo Server-side request forgery (SSRF) en el plugin Import XML and RSS Feeds (import-xml-feed) versión 2.0.1 para WordPress, por medio del parámetro data en una acción moove_read_xml The Import XML and RSS Feeds plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 2.0.2 via the data parameter in a moove_read_xml action. • https://github.com/dwisiswant0/CVE-2020-24148 https://github.com/secwx/research/blob/main/cve/CVE-2020-24148.md https://wordpress.org/plugins/import-xml-feed/#developers • CWE-918: Server-Side Request Forgery (SSRF) •