Theme-Demo-Importer < 1.1.1 – Admin+ Arbitrary File Upload | CVE 2022-1538 | Plugin Vulnerabilities

Description

The plugin does not validate the imported file, allowing high-privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed.

Proof of Concept

1. Navigate to: Appearance >Import Demo Content > Theme Demo Importer > Manually upload the demo files

2. Use the XML file import option to upload a PHP file containing this content:
<?php phpinfo();?>

3. Find the file at https://example.com/wp-content/uploads/YYYY/MM/your-file.php

Affects Plugins

theme-demo-import

Fixed in 1.1.1

References

CVE

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

ccltt1201

Submitter

ccltt1201

Verified

Yes

WPVDB ID

b19adf7c-3983-487b-9b46-0f2922b08c1c

Timeline

Publicly Published

2022-11-08 (about 3 years ago)

Added

2022-11-08 (about 3 years ago)

Last Updated

2022-11-08 (about 3 years ago)

Other

Published

Title

Published

2024-10-27

Title

All-in-One WP Migration and Backup < 7.87 - Authenticated (Administrator+) Arbitrary PHP Code Injection

Published

2022-02-22

Title

Transposh WordPress Translation < 1.0.8 - Admin+ RCE

Published

2007-03-02

Title

WordPress 2.1.1 - RCE Backdoor

Published

2023-12-05

Title

Astra Pro < 4.3.2 - Authenticated(Contributor+) Remote Code Execution via Metabox

Published

2025-09-22

Title

WPCasa < 1.4.2 - Unauthenticated Code Injection