CVE-2015-9331

HIGH

WP All Import < 3.2.4 - Unauthenticated Admin Initialization Access

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-9331. PoCs published by Kairo-one.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2015-9331, an arbitrary file upload vulnerability in the WP All Import WordPress plugin. The exploit uploads a PHP webshell via the admin-ajax.php endpoint and calculates the upload directory path using a timestamp and MD5 hash.

Description

The wp-all-import plugin before 3.2.4 for WordPress has no prevention of unauthenticated requests to adminInit.

Exploits (1)

nomisec WORKING POC

by Kairo-one · poc

https://github.com/Kairo-one/CVE-2015-9331

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2015-9331, an arbitrary file upload vulnerability in the WP All Import WordPress plugin. The exploit uploads a PHP webshell via the admin-ajax.php endpoint and calculates the upload directory path using a timestamp and MD5 hash.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WP All Import plugin for WordPress <= 3.2.3

No auth needed

Prerequisites: Target must have the vulnerable WP All Import plugin installed and accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Release Notes x_refsource_misc

https://wordpress.org/plugins/wp-all-import/#developers

Scores

CVSS v3 7.5

EPSS 0.0143

EPSS Percentile 69.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-254

Status published

Products (1)

soflyy/wp_all_import < 3.2.4

Published Aug 20, 2019

Tracked Since Feb 18, 2026