The Import WP WordPress plugin before 2.13.1 does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations.
El complemento Import WP WordPress anterior a 2.13.1 no impide que los usuarios con función de administrador hagan ping al realizar ataques SSRF, lo que puede ser un problema en configuraciones multisitio.
The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.13.0 via the /wp-json/iwp/v1/importer/$IMPORTERID/upload REST API endpoint. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
