CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 1CVE-2023-4724 – WP All Export (Free < 1.4.0, Pro < 1.8.6) - Admin+ RCE
https://notcve.org/view.php?id=CVE-2023-4724
24 Nov 2023 — The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not validate and sanitise the `wp_query` parameter which allows an attacker to run arbitrary command on the remote server Los complementos Export any WordPress data to XML/CSV de WordPress anterior a 1.4.0 y el complemento WP All Export Pro de WordPress anterior a 1.8.6 no validan ni sanitizan el parámetro `wp_query` que permite a un atacante ejecutar comandos arbitrarios en el servid... • https://wpscan.com/vulnerability/48820f1d-45cb-4f1f-990d-d132bfc5536f • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-5882 – WP All Export (Free < 1.4.1, Pro < 1.8.6) - Remote Code Execution via CSRF
https://notcve.org/view.php?id=CVE-2023-5882
24 Nov 2023 — The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers to make logged in users perform unwanted actions leading to remote code execution. El complemento Export any WordPress data to XML/CSV de WordPress anterior a 1.4.0, el complemento WP All Export Pro de WordPress anterior a 1.8.6 no verifica los tokens nonce lo suficientemente temprano en el ciclo de vida ... • https://wpscan.com/vulnerability/72be4b5c-21be-46af-a3f4-08b4c190a7e2 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-5886 – WP All Export (Free < 1.4.1, Pro < 1.8.6) - Author+ PHAR Deserialization via CSRF
https://notcve.org/view.php?id=CVE-2023-5886
24 Nov 2023 — The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading to PHAR deserialization, which may lead to remote code execution. El complemento Export any WordPress data to XML/CSV de WordPress anterior a 1.4.0, el complemento WP All Export Pro de WordPress anterior a 1.8.6 no v... • https://wpscan.com/vulnerability/0a08e49d-d34e-4140-a15d-ad64444665a3 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3394 – WP All Export Pro < 1.7.9 - Authenticated Code Injection
https://notcve.org/view.php?id=CVE-2022-3394
03 Oct 2022 — The WP All Export Pro WordPress plugin before 1.7.9 does not limit some functionality during exports only to users with the Administrator role, allowing any logged in user which has been given privileges to perform exports to execute arbitrary code on the site. By default only administrators can run exports, but the privilege can be delegated to lower privileged users. El plugin WP All Export Pro de WordPress versiones anteriores a 1.7.9, no limita algunas funcionalidades durante las exportaciones sólo a us... • https://wpscan.com/vulnerability/3266eb59-a8b2-4a5a-ab48-01a9af631b2c • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3395 – WP All Export Pro < 1.7.9 - Authenticated SQLi
https://notcve.org/view.php?id=CVE-2022-3395
03 Oct 2022 — The WP All Export Pro WordPress plugin before 1.7.9 uses the contents of the cc_sql POST parameter directly as a database query, allowing users which has been given permission to run exports to execute arbitrary SQL statements, leading to a SQL Injection vulnerability. By default only users with the Administrator role can perform exports, but this can be delegated to lower privileged users as well. El plugin WP All Export Pro de WordPress versiones anteriores a 1.7.9, usa el contenido del parámetro POST cc_... • https://wpscan.com/vulnerability/10742154-368a-40be-a67d-80ea848493a0 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24708 – WP All Export < 1.3.1 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24708
06 Oct 2021 — The Export any WordPress data to XML/CSV WordPress plugin before 1.3.1 does not escape its Export's Name before outputting it in Manage Exports settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed El plugin Export any WordPress data to XML/CSV de WordPress versiones anteriores a 1.3.1, no escapa el nombre de su exportación antes de mostrarlo en la configuración de Manage Exports, que podría permitir a usuarios muy pri... • https://wpscan.com/vulnerability/4560eef4-253b-49a4-8e20-9520c45c6f7f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •