WordPress Plugin Vulnerabilities
WP All Export (Free < 1.4.0, Pro < 1.8.6) - Admin+ RCE
Description
The plugin does not validate and sanitise the `wp_query` parameter which allows an attacker to run arbitrary command on the remote server
Proof of Concept
1. Go to "All Export" > "New Export" 2. Select "WP Query Results" as the export type 3. Enter the payload `phpinfo()` for the query. 4. Click customize and see the execution of `phpinfo()` when the page loads.
Affects Plugins
References
CVE
Classification
Type
RCE
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Francesco Marano (@mrnfrancesco), Donato Di Pasquale (@ddipa)
Submitter
Unlock Security
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-11-21 (about 5 months ago)
Added
2023-11-21 (about 5 months ago)
Last Updated
2023-11-21 (about 5 months ago)