WP All Export (Free < 1.4.0, Pro < 1.8.6) – Admin+ RCE | CVE 2023-4724

Description

The plugin does not validate and sanitise the `wp_query` parameter which allows an attacker to run arbitrary command on the remote server

Proof of Concept

1. Go to "All Export" > "New Export"
2. Select "WP Query Results" as the export type
3. Enter the payload `phpinfo()` for the query.
4. Click customize and see the execution of `phpinfo()` when the page loads.

Affects Plugins

wp-all-export

Fixed in 1.4.0

wp-all-export-pro

Fixed in 1.8.6

References

CVE

CVE-2023-4724

Classification

Type

RCE

OWASP top 10

A1: Injection

CWE

CWE-94

CVSS

4.7 (medium)

Miscellaneous

Original Researcher

Francesco Marano (@mrnfrancesco), Donato Di Pasquale (@ddipa)

Submitter

Unlock Security

Submitter website

https://www.unlock-security.it/

Submitter twitter

unlock_security

Verified

Yes

WPVDB ID

48820f1d-45cb-4f1f-990d-d132bfc5536f

Timeline

Publicly Published

2023-11-21 (about 2 years ago)

Added

2023-11-21 (about 2 years ago)

Last Updated

2023-11-21 (about 2 years ago)

Other

Published

Title

Published

2025-07-10

Title

GB Forms DB < 1.0.3 - Unauthenticated Remote Code Execution

Published

2024-12-05

Title

ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup < 4.0.52 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

Published

2025-08-15

Title

Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress < 4.16.5 - Unauthenticated Arbitrary Shortcode Execution

Published

2022-10-03

Title

WP ALL Export Pro < 1.7.9 - Authenticated Code Injection

Published

2024-09-04

Title

Bit File Manager 6.0 - 6.5.5 - Unauthenticated Remote Code Execution via Race Condition