WP ALL Export Pro < 1.7.9 – Authenticated Code Injection | CVE 2022-3394

Description

The plugin does not limit some functionality during exports only to users with the Administrator role, allowing any logged in user which has been given privileges to perform exports to execute arbitrary code on the site. By default only administrators can run exports, but the privilege can be delegated to lower privileged users.

Proof of Concept

https://github.com/p3n7a90n/WPPluginsVulnerabilitiesReported/tree/main/wp-all-export-pro/CodeInjection

Affects Plugins

wp-all-export-pro

Fixed in 1.7.9

References

CVE

CVE-2022-3394

Classification

Type

RCE

OWASP top 10

A1: Injection

CWE

CWE-94

CVSS

9.1 (critical)

Miscellaneous

Original Researcher

Sanjay Das

Submitter

Sanjay Das

Submitter website

https://p3n7a90n.github.io/

Submitter twitter

https://twitter.com/p3n7a90n

Verified

Yes

WPVDB ID

3266eb59-a8b2-4a5a-ab48-01a9af631b2c

Timeline

Publicly Published

2022-10-03 (about 3 years ago)

Added

2022-10-03 (about 3 years ago)

Last Updated

2022-10-03 (about 3 years ago)

Other

Published

Title

Published

2024-09-30

Title

Iconize <= 1.2.4 - Authenticated (Admin+) Remote Code Execution

Published

2014-08-01

Title

XML Sitemap Generator 3.2.8 - XML File Overwrite Arbitrary Code Execution

Published

2025-09-22

Title

Cozy Blocks < 2.1.30 - Unauthenticated Arbitrary Shortcode Execution

Published

2014-10-13

Title

WP-DBManager < 2.7.2 - Authenticated Command Injection

Published

2025-09-08

Title

WP-Members Membership Plugin < 3.5.4.3 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via Profile Names