WP All Export (Free < 1.4.0, Pro < 1.8.6) – Admin+ RCE | CVE 2023-4724

Description

The plugin does not validate and sanitise the `wp_query` parameter which allows an attacker to run arbitrary command on the remote server

Proof of Concept

1. Go to "All Export" > "New Export"
2. Select "WP Query Results" as the export type
3. Enter the payload `phpinfo()` for the query.
4. Click customize and see the execution of `phpinfo()` when the page loads.

Affects Plugins

wp-all-export

Fixed in 1.4.0

wp-all-export-pro

Fixed in 1.8.6

References

CVE

CVE-2023-4724

Classification

Type

RCE

OWASP top 10

A1: Injection

CWE

CWE-94

CVSS

4.7 (medium)

Miscellaneous

Original Researcher

Francesco Marano (@mrnfrancesco), Donato Di Pasquale (@ddipa)

Submitter

Unlock Security

Submitter website

https://www.unlock-security.it/

Submitter twitter

unlock_security

Verified

Yes

WPVDB ID

48820f1d-45cb-4f1f-990d-d132bfc5536f

Timeline

Publicly Published

2023-11-21 (about 5 months ago)

Added

2023-11-21 (about 5 months ago)

Last Updated

2023-11-21 (about 5 months ago)

Other

Published

Title

Published

2023-08-28

Title

Import XML and RSS Feeds < 2.1.5 - Unauthenticated RCE

Published

2020-03-31

Title

LifterLMS < 3.37.15 - Arbitrary File Writing

Published

2022-07-25

Title

WP-DBManager < 2.80.8 - Admin+ Remote Command Execution

Published

2014-10-13

Title

WP-DBManager < 2.7.2 - Authenticated Command Injection

Published

2015-04-21

Title

MailChimp Subscribe Form <= 1.1 - Email Field Remote PHP Code Execution