Description
The Import Export All WordPress Images, Users & Post Types WordPress plugin before 6.5.3 does not fully validate the file to be imported via an URL before making an HTTP request to it, which could allow high privilege users such as admin to perform Blind SSRF attacks
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/1b640519-75e1-48cb-944e-b9bff9de6d3d
Scores
CVSS v3
7.2
EPSS
0.0126
EPSS Percentile
65.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-918
Status
published
Products (1)
smackcoders/import_all_pages\,_post_types\,_products\,_orders\,_and_users_as_xml_\&_csv
< 6.5.3
Published
Jun 27, 2022
Tracked Since
Feb 18, 2026