CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31939 – WordPress Import any XML or CSV File to WordPress plugin <= 3.7.3 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-31939
10 Apr 2024 — Cross-Site Request Forgery (CSRF) vulnerability in Soflyy Import any XML or CSV File to WordPress.This issue affects Import any XML or CSV File to WordPress: from n/a through 3.7.3. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Soflyy Importe cualquier archivo XML o CSV a WordPress. Este problema afecta la importación de cualquier archivo XML o CSV a WordPress: desde n/a hasta 3.7.3. The Import any XML or CSV File to WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all ... • https://patchstack.com/database/vulnerability/wp-all-import/wordpress-import-any-xml-or-csv-file-to-wordpress-plugin-3-7-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3418 – WP All Import < 3.6.9 - Admin+ Arbitrary File Upload to RCE
https://notcve.org/view.php?id=CVE-2022-3418
17 Oct 2022 — The Import any XML or CSV File to WordPress plugin before 3.6.9 is not properly filtering which file extensions are allowed to be imported on the server, which could allow administrators in multi-site WordPress installations to upload arbitrary files El complemento Importar cualquier archivo XML o CSV a WordPress anterior a 3.6.9 no filtra correctamente qué extensiones de archivo se pueden importar en el servidor, lo que podría permitir a los administradores de instalaciones de WordPress en varios sitios ca... • https://wpscan.com/vulnerability/ccbb74f5-1b8f-4ea6-96bc-ddf62af7f94d • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2711 – WP All Import < 3.6.9 - Admin+ Directory traversal via file upload
https://notcve.org/view.php?id=CVE-2022-2711
17 Oct 2022 — The Import any XML or CSV File to WordPress plugin before 3.6.9 is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector. El complemento Importar cualquier archivo XML o CSV a WordPress anterior a 3.6.9 no valida las rutas de los archivos contenidos en los archivos zip cargados, lo que permite a usuarios con privilegios elevados, c... • https://wpscan.com/vulnerability/11e73c23-ff5f-42e5-a4b0-0971652dcea1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2268 – WP All Import < 3.6.8 - Admin+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2022-2268
01 Jul 2022 — The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE El plugin Import any XML or CSV File to de WordPress versiones anteriores a 3.6.8, acepta todos los archivos zip y extrae automáticamente el archivo zip sin validar el tipo de archivo extraído. Permitiendo a usuarios con altos privilegios, como ... • https://wpscan.com/vulnerability/578093db-a025-4148-8c4b-ec2df31743f7 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.3EPSS: 1%CPEs: 1EXPL: 2CVE-2022-1565 – Import any XML or CSV File to WordPress <= 3.6.7 - Admin+ Malicious File Upload
https://notcve.org/view.php?id=CVE-2022-1565
30 Jun 2022 — The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible. El plugin WP All Import es vulnerable a ua carga de archivos arbitrarios debido a una falta de comprobación del tipo de archivo po... • https://www.exploit-db.com/exploits/51122 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36386 – WordPress Import any XML or CSV File to WordPress plugin <= 3.6.7 - Authenticated Arbitrary Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2022-36386
28 Jun 2022 — Authenticated Arbitrary Code Execution vulnerability in Soflyy Import any XML or CSV File to WordPress plugin <= 3.6.7 at WordPress. Una vulnerabilidad de Ejecución de Código Arbitrario Autenticado en el plugin Soflyy Import any XML or CSV File to WordPress versiones anteriores a 3.6.7 incluyéndola, en WordPress The WP All Import plugin for WordPress is vulnerable to arbitrary code execution in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator-level... • https://patchstack.com/database/vulnerability/wp-all-import/wordpress-import-any-xml-or-csv-file-to-wordpress-plugin-3-6-7-authenticated-arbitrary-code-execution-vulnerability • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24714 – WP All Import < 3.6.3 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24714
02 Nov 2021 — The Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfiltered_html capability is disallowed. El plugin Import any XML or CSV File to de WordPress versiones anteriores a 3.6.3, no escapa de los campos Title y Unique Identifier de la importación antes de mostrarlos en las páginas de administración, que podría perm... • https://wpscan.com/vulnerability/a8d314b9-26ac-4b56-a85c-a2528e55e73a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-9331 – Import any XML or CSV File to WordPress <= 3.2.3 & PRO < 4.1.1 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2015-9331
20 Aug 2019 — The wp-all-import plugin before 3.2.4 for WordPress has no prevention of unauthenticated requests to adminInit. El plugin wp-all-import antes de 3.2.4 para WordPress no tiene prevención de solicitudes no autenticadas a adminInit. • https://wordpress.org/plugins/wp-all-import/#developers • CWE-254: 7PK - Security Features CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0546 – WP All Import <= 3.4.5 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-0546
08 Mar 2018 — Cross-site scripting vulnerability in WP All Import plugin prior to version 3.4.6 for WordPress allows an attacker to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de Cross-Site Scripting (XSS) en el plugin WP All Import, en versiones anteriores a la 3.4.6 para WordPress, permite que los atacantes inyecten scripts web o HTML arbitrarios utilizando vectores no especificados. • https://jvn.jp/en/jp/JVN33527174/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-0547 – WP All Import <= 3.4.6 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-0547
08 Mar 2018 — Cross-site scripting vulnerability in WP All Import plugin prior to version 3.4.7 for WordPress allows an attacker to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de Cross-Site Scripting (XSS) en el plugin WP All Import, en versiones anteriores a la 3.4.7 para WordPress, permite que los atacantes inyecten scripts web o HTML arbitrarios utilizando vectores no especificados. • https://jvn.jp/en/jp/JVN60032768/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •