CVE-2022-2268

HIGH

WP All Import < 3.6.8 - Authenticated Arbitrary File Upload via Zip Extraction

Title source: llm
STIX 2.1

Description

The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/578093db-a025-4148-8c4b-ec2df31743f7

Scores

CVSS v3 7.2
EPSS 0.0115
EPSS Percentile 62.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
soflyy/wp_all_import < 3.6.8
Published Jul 04, 2022
Tracked Since Feb 18, 2026