CVE-2022-2268

HIGH

Soflyy WP All Import < 3.6.8 - Unrestricted File Upload

Title source: rule
STIX 2.1

Description

The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/578093db-a025-4148-8c4b-ec2df31743f7

Scores

CVSS v3 7.2
EPSS 0.0096
EPSS Percentile 76.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
soflyy/wp_all_import < 3.6.8
Published Jul 04, 2022
Tracked Since Feb 18, 2026