CVE-2022-1565

Import any XML or CSV File to WordPress <= 3.6.7 - Admin+ Malicious File Upload

CVSS 7.2 HIGHEPSS 11.3%CWE-434

Vexday Risk Score

46Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 7.2EPSS 11.3%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

18 Jul 2022Published on NVD

29 Mar 2023Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected products

wpallimport · WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets

public PoCs found — 2

githubgithub.com/phanthibichtram12/CVE-2022-1565★ 0 exploitdbwww.exploit-db.com/exploits/51122unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://plugins.trac.wordpress.org/changeset/2749264/wp-all-import/trunk?contextall=1&old=2737093&old_path=%2Fwp-all-import%2Ftrunk https://www.wordfence.com/threat-intel/vulnerabilities/id/5d281333-d9af-4eb7-bc5c-ea7ceeddac03?source=cve https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1565