// For flags

CVE-2022-0236

WP Import Export (Lite) <= 3.9.15 Unauthenticated Sensitive Data Disclosure

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The WP Import Export WordPress plugin (both free and premium versions) is vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpie_process_file_download found in the ~/includes/classes/class-wpie-general.php file. This made it possible for unauthenticated attackers to download any imported or exported information from a vulnerable site which can contain sensitive information like user data. This affects versions up to, and including, 3.9.15.

El plugin WP Import Export de WordPress (tanto en su versión gratuita como en la premium) es vulnerable a una divulgación de datos confidenciales sin autenticación debido a la falta de comprobación de capacidad en la función de descarga wpie_process_file_download que es encontrada en el archivo ~/includes/classes/class-wpie-general.php. Esto hacía posible que atacantes no autenticados pudieran descargar cualquier información importada o exportada de un sitio vulnerable que pudiera contener información confidencial como datos de usuarios. Esto afecta a las versiones hasta la 3.9.15 incluyéndola

*Credits: Karan Saini (Kloudle Inc.)
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-01-14 CVE Reserved
  • 2022-01-14 CVE Published
  • 2022-01-17 First Exploit
  • 2024-08-02 CVE Updated
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-862: Missing Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Vjinfotech
Search vendor "Vjinfotech"
Wp Import Export
Search vendor "Vjinfotech" for product "Wp Import Export"
<= 3.9.15
Search vendor "Vjinfotech" for product "Wp Import Export" and version " <= 3.9.15"
wordpress
Affected
Vjinfotech
Search vendor "Vjinfotech"
Wp Import Export Lite
Search vendor "Vjinfotech" for product "Wp Import Export Lite"
<= 3.9.15
Search vendor "Vjinfotech" for product "Wp Import Export Lite" and version " <= 3.9.15"
wordpress
Affected