CVE-2022-2711
HIGHWP All Import < 3.6.9 - Authenticated Path Traversal and Arbitrary File Write via Zip Archive
Title source: llmDescription
The Import any XML or CSV File to WordPress plugin before 3.6.9 is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://wpscan.com/vulnerability/11e73c23-ff5f-42e5-a4b0-0971652dcea1
Scores
CVSS v3
7.2
EPSS
0.0319
EPSS Percentile
86.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (1)
soflyy/wp_all_import
< 3.6.9
Published
Nov 07, 2022
Tracked Since
Feb 18, 2026