Import WP < 2.4.6 – Admin+ Arbitrary File Upload to RCE | CVE 2022-1273 | Plugin Vulnerabilities

Description

The plugin does not validate the imported file in some cases, allowing high privilege users such as admin to upload arbitrary files (such as PHP), leading to RCE

Proof of Concept

Import a PHP file via an URL [Tools > Import WP > Add Importer (put any name, and post template) > Create Importer > Remote File (select any file type)], eg: https://example.com/info.php (content of info.php:<?php phpinfo();?>)

Intercept the response to get the path of the file (via the file[src], eg: 06-2-info.php) and append that https://WP/wp-content/uploads/<year>/<month>, eg: https://WP/wp-content/uploads/2022/04/06-2-info.php

Affects Plugins

Fixed in 2.4.6

References

CVE

Miscellaneous

Original Researcher

ericfrank900528

Submitter

ericfrank900528

Verified

Yes

WPVDB ID

ad99b9ba-5f24-4682-a787-00f0e8e32603

Timeline

Publicly Published

2022-04-11 (about 3 years ago)

Added

2022-04-11 (about 3 years ago)

Last Updated

2022-04-13 (about 3 years ago)

Other

Published

Title

Published

2023-11-22

Title

Multiple Plugins by Trustindex.io <= (Various Versions)- Authenticated (Editor+) Arbitrary File Upload

Published

2023-08-04

Title

Forminator < 1.25.0 - Unauthenticated Arbitrary File Upload

Published

2025-06-23

Title

Aiomatic - AI Content Writer, Editor, ChatBot & AI Toolkit < 2.5.1 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2015-12-23

Title

NextGEN Gallery < 2.1.15 - Unrestricted File Upload

Published

2015-07-06

Title

ACF Frontend Display <= 2.0.6 - Arbitrary File Upload