CVE-2022-1565

HIGH

WP All Import < 3.6.8 - Authenticated Arbitrary File Upload via wp_all_import_get_gz.php

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-1565. PoCs published by AkuCyberSec, phanthibichtram12.

AI-analyzed exploit summary This exploit leverages an arbitrary file upload vulnerability in WP All Import (CVE-2022-1565) to achieve RCE. It requires admin credentials to upload a malicious ZIP file containing a PHP payload, bypassing file type validation.

Description

The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible.

Exploits (2)

exploitdb WORKING POC VERIFIED

by AkuCyberSec · pythonwebappsphp

https://www.exploit-db.com/exploits/51122

View Code ZIP pw:eip

This exploit leverages an arbitrary file upload vulnerability in WP All Import (CVE-2022-1565) to achieve RCE. It requires admin credentials to upload a malicious ZIP file containing a PHP payload, bypassing file type validation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WP All Import <= 3.6.7

Auth required

Prerequisites: Valid admin credentials · ZIP file containing a PHP payload

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by phanthibichtram12 · poc

https://github.com/phanthibichtram12/CVE-2022-1565

View Code ZIP pw:eip

This repository contains a Python-based exploit for CVE-2022-1565, targeting an arbitrary file upload vulnerability in the WordPress WP All Import plugin (versions <= 3.6.7). The exploit allows authenticated attackers with admin privileges to upload malicious files, potentially leading to remote code execution (RCE).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: WordPress WP All Import Plugin <= 3.6.7

Auth required

Prerequisites: Admin credentials for WordPress · Target URL · Prepared ZIP file containing malicious payload

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Patch

https://plugins.trac.wordpress.org/changeset/2749264/wp-all-import/trunk?contextall=1&old=2737093&old_path=%2Fwp-all-import%2Ftrunk

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/5d281333-d9af-4eb7-bc5c-ea7ceeddac03?source=cve

Third Party Advisory

https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1565

Scores

CVSS v3 7.2

EPSS 0.1113

EPSS Percentile 95.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (2)

wpallimport/WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets < 3.6.7

wpallimport/wp_all_import < 3.6.8

Published Jul 18, 2022

Tracked Since Feb 18, 2026