WordPress Plugin Vulnerabilities

Import any XML or CSV File to WordPress <= 3.2.3 - RCE

Description

WP All Import does not properly verify that a user has permission to execute functions. Coupled with an interesting method that allows arbitrary functions in specific objects to be called allows this to be leveraged in many ways.

Affects Plugins

Plugin icon
wp-all-import
Fixed in 3.2.4

References

CVE
CVE-2015-9331
URL
https://packetstormsecurity.com/files/#130596/
URL
http://www.wpallimport.com/2015/02/wp-import-4-1-1-mandatory-security-update/
URL
https://www.pritect.net/blog/wp-all-import-vulnerability

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.5 (high)

Miscellaneous

Submitter
James Golovich
Submitter website
http://www.pritect.net
Verified
No
WPVDB ID
87c4b6bd-d417-452b-981b-fd7d715d4850

Timeline

Publicly Published
2015-02-26 (about 11 years ago)
Added
2015-02-26 (about 11 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2021-12-05
Title
Button Generator < 2.3.3 - RFI leading to RCE via CSRF
Published
2025-09-22
Title
WP User Frontend < 4.1.13 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
Published
2025-08-14
Title
Dynamic Pricing With Discount Rules for WooCommerce < 4.5.10 - Authenticated (Shop Manager+) Arbitrary Code Execution
Published
2025-03-07
Title
Allow PHP Execute <= 1.0 - Authenticated (Editor+) PHP Code Injection
Published
2025-09-08
Title
AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress < 5.3.7 - Missing Authorization To Authenticated (Subscriber+) Remote Code Execution via Automation Creation