CVE-2022-0236
HIGHVjinfotech WP Import Export WordPress Plugin <= 3.9.15 - Sensitive Data Disclosure
Title source: llmExploitation Summary
EIP tracks 2 public exploits for CVE-2022-0236. PoCs published by qurbat, xiska62314.
AI-analyzed exploit summary This PoC exploits an unauthenticated sensitive data disclosure vulnerability in the WP Import Export WordPress plugin by sending a crafted POST request to download exported/imported data without authentication.
Description
The WP Import Export WordPress plugin (both free and premium versions) is vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpie_process_file_download found in the ~/includes/classes/class-wpie-general.php file. This made it possible for unauthenticated attackers to download any imported or exported information from a vulnerable site which can contain sensitive information like user data. This affects versions up to, and including, 3.9.15.
Exploits (2)
This PoC exploits an unauthenticated sensitive data disclosure vulnerability in the WP Import Export WordPress plugin by sending a crafted POST request to download exported/imported data without authentication.
The repository contains only a README.md file with the CVE identifier and no functional exploit code or technical details. It appears to be a placeholder or stub.
References (3)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N