WP Import Export < 3.9.16 – Unauthenticated Sensitive Data Disclosure | CVE 2022-0236 | Plugin Vulnerabilities

Description

The plugins are vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpie_process_file_download found in the ~/includes/classes/class-wpie-general.php file. This made it possible for unauthenticated attackers to download any imported or exported information from a vulnerable site which can contain sensitive information like user data.

Affects Plugins

wp-import-export-lite

Fixed in 3.9.16

wp-import-export

Fixed in 3.9.16

References

CVE

URL

https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0236

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Karan Saini

Verified

Yes

WPVDB ID

dde047b7-db53-4194-9955-5f1307dccff5

Timeline

Publicly Published

2022-01-14 (about 4 years ago)

Added

2022-01-14 (about 4 years ago)

Last Updated

2022-04-13 (about 4 years ago)

Other

Published

Title

Published

2026-03-30

Title

Gravity SMTP < 2.1.5 - Unauthenticated Sensitive Information Exposure via REST API

Published

2024-08-08

Title

Linkify Text <= 1.9.1 - Unauthenticated Full Path Disclosure

Published

2024-04-22

Title

WP Fusion Lite – Marketing Automation and CRM Integration for WordPress < 3.43.0 - Information Exposure

Published

2025-12-11

Title

Guest Support < 1.3.0 - Unauthenticated User Email Disclosure in guest_support_handler AJAX Endpoint

Published

2024-12-16

Title

s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions < 241216 - Authenticated (Contributor+) Sensitive Information Exposure