WordPress Plugin Vulnerabilities

WP All Import < 3.6.8 - Admin+ Arbitrary File Upload

Description

The plugin accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE

Proof of Concept

Affects Plugins

Plugin icon
wp-all-import
Fixed in 3.6.8

References

CVE
CVE-2022-2268

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
moresec
Submitter
moresec
Submitter website
https://github.com/Jamesusername
Verified
Yes
WPVDB ID
578093db-a025-4148-8c4b-ec2df31743f7

Timeline

Publicly Published
2022-07-01 (about 3 years ago)
Added
2022-06-30 (about 3 years ago)
Last Updated
2023-04-05 (about 2 years ago)

Other

Published
Title
Published
2014-10-13
Title
WP-DBManager < 2.7.2 - Authenticated Command Injection
Published
2024-12-11
Title
Grid Plus – Unlimited grid layout <= 1.3.5 - Unauthenticated Arbitrary Shortcode Execution via grid_plus_load_by_category
Published
2025-09-29
Title
Copypress Rest API 1.1 - 1.2 - Unauthenticated Remote Code Execution
Published
2014-08-01
Title
WP Business intelligence lite < 1.1 - Remote Code Execution Exploit
Published
2024-10-14
Title
ajax-extend <= 1.0 - Unauthenticated Remote Code Execution