WordPress Plugin Vulnerabilities

Import any XML or CSV File to WordPress < 3.6.8 - Admin+ Arbitrary Code Execution

Description

The plugin allows high privilege users such as admin to import zip archives containing PHP files, which could allow admin of multisite setup to perform RCE attacks

Affects Plugins

Plugin icon
wp-all-import
Fixed in 3.6.8

References

CVE
CVE-2022-36386

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
Universe
Verified
No
WPVDB ID
b469d595-14fa-4514-a79d-cdec7baf8a64

Timeline

Publicly Published
2022-06-28 (about 3 years ago)
Added
2022-09-21 (about 3 years ago)
Last Updated
2022-09-21 (about 3 years ago)

Other

Published
Title
Published
2023-08-28
Title
Import XML and RSS Feeds < 2.1.4 - Admin+ Arbitrary File Upload
Published
2023-11-13
Title
Filr – Secure document library < 1.2.3.6 - Author+ RCE via file upload with phar ext
Published
2026-02-17
Title
Cart All In One For WooCommerce < 1.1.22 - Admin+ Code Injection
Published
2025-04-23
Title
Verification SMS with TargetSMS <= 1.5 - Unauthenticated Limited Remote Code Execution
Published
2024-12-05
Title
ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup < 4.0.52 - Authenticated (Subscriber+) Arbitrary Shortcode Execution