WP ALL Export Pro < 1.7.9 – Authenticated SQLi | CVE 2022-3395

Description

The plugin uses the contents of the cc_sql POST parameter directly as a database query, allowing users which has been given permission to run exports to execute arbitrary SQL statements, leading to a SQL Injection vulnerability. By default only users with the Administrator role can perform exports, but this can be delegated to lower privileged users as well.

Proof of Concept

https://github.com/p3n7a90n/WPPluginsVulnerabilitiesReported/tree/main/wp-all-export-pro/SQLInjection

Affects Plugins

wp-all-export-pro

Fixed in 1.7.9

References

CVE

CVE-2022-3395

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

6.5 (medium)

Miscellaneous

Original Researcher

Sanjay Das

Submitter

Sanjay Das

Submitter website

https://p3n7a90n.github.io/

Submitter twitter

https://twitter.com/p3n7a90n

Verified

Yes

WPVDB ID

10742154-368a-40be-a67d-80ea848493a0

Timeline

Publicly Published

2022-10-03 (about 3 years ago)

Added

2022-10-03 (about 3 years ago)

Last Updated

2022-10-03 (about 3 years ago)

Other

Published

Title

Published

2014-08-01

Title

Js-appointment <= 1.5 - SQL Injection

Published

2014-08-01

Title

Count per Day < 3.0 - SQL Injection

Published

2014-08-01

Title

Published

2023-10-30

Title

Popup with fancybox < 3.6 - Authenticated (Subscriber+) SQL Injection via Shortcode

Published

2025-10-08

Title

Community Events < 1.5.2 - Unauthenticated SQL Injection