CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31939 – WordPress Import any XML or CSV File to WordPress plugin <= 3.7.3 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-31939
Cross-Site Request Forgery (CSRF) vulnerability in Soflyy Import any XML or CSV File to WordPress.This issue affects Import any XML or CSV File to WordPress: from n/a through 3.7.3. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Soflyy Importe cualquier archivo XML o CSV a WordPress. Este problema afecta la importación de cualquier archivo XML o CSV a WordPress: desde n/a hasta 3.7.3. The Import any XML or CSV File to WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.7.3. This is due to missing or incorrect nonce validation on several functions. • https://patchstack.com/database/vulnerability/wp-all-import/wordpress-import-any-xml-or-csv-file-to-wordpress-plugin-3-7-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2711 – WP All Import < 3.6.9 - Admin+ Directory traversal via file upload
https://notcve.org/view.php?id=CVE-2022-2711
The Import any XML or CSV File to WordPress plugin before 3.6.9 is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector. El complemento Importar cualquier archivo XML o CSV a WordPress anterior a 3.6.9 no valida las rutas de los archivos contenidos en los archivos zip cargados, lo que permite a usuarios con privilegios elevados, como administradores, escribir archivos arbitrarios en cualquier parte del sistema de archivos al que pueda acceder el servidor web a través de un vector de path traversal. The Import any XML or CSV File to WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file path validation in uploaded zip archives in versions up to, and including, 3.6.8. This makes it possible for authenticated attackers, with administrator-level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible. • https://wpscan.com/vulnerability/11e73c23-ff5f-42e5-a4b0-0971652dcea1 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3418 – WP All Import < 3.6.9 - Admin+ Arbitrary File Upload to RCE
https://notcve.org/view.php?id=CVE-2022-3418
The Import any XML or CSV File to WordPress plugin before 3.6.9 is not properly filtering which file extensions are allowed to be imported on the server, which could allow administrators in multi-site WordPress installations to upload arbitrary files El complemento Importar cualquier archivo XML o CSV a WordPress anterior a 3.6.9 no filtra correctamente qué extensiones de archivo se pueden importar en el servidor, lo que podría permitir a los administradores de instalaciones de WordPress en varios sitios cargar archivos arbitrarios. The Import any XML or CSV File to WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to improper file extension validation when uploading files in versions up to, and including, 3.6.8. This makes it possible for authenticated attackers, with administrator-level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible. • https://wpscan.com/vulnerability/ccbb74f5-1b8f-4ea6-96bc-ddf62af7f94d • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2268 – WP All Import < 3.6.8 - Admin+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2022-2268
The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE El plugin Import any XML or CSV File to de WordPress versiones anteriores a 3.6.8, acepta todos los archivos zip y extrae automáticamente el archivo zip sin validar el tipo de archivo extraído. Permitiendo a usuarios con altos privilegios, como el administrador, subir un archivo arbitrario como PHP, conllevando a un RCE • https://wpscan.com/vulnerability/578093db-a025-4148-8c4b-ec2df31743f7 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 1%CPEs: 1EXPL: 2CVE-2022-1565 – Import any XML or CSV File to WordPress <= 3.6.7 - Admin+ Malicious File Upload
https://notcve.org/view.php?id=CVE-2022-1565
The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible. El plugin WP All Import es vulnerable a ua carga de archivos arbitrarios debido a una falta de comprobación del tipo de archivo por medio del archivo wp_all_import_get_gz.php en versiones hasta 3.6.7 incluyéndola. Esto hace posible que atacantes autenticados, con permisos de nivel de administrador y superiores, suban archivos arbitrarios en el servidor de los sitios afectados, lo que puede hacer posible una ejecución de código remota • https://www.exploit-db.com/exploits/51122 https://github.com/phanthibichtram12/CVE-2022-1565 https://plugins.trac.wordpress.org/changeset/2749264/wp-all-import/trunk?contextall=1&old=2737093&old_path=%2Fwp-all-import%2Ftrunk https://www.wordfence.com/threat-intel/vulnerabilities/id/5d281333-d9af-4eb7-bc5c-ea7ceeddac03?source=cve https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1565 • CWE-434: Unrestricted Upload of File with Dangerous Type •