First published: Mon Jul 04 2022(Updated: )
The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Soflyy Wp All Import | <3.6.8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-2268 is a vulnerability found in the Import any XML or CSV File to WordPress plugin before version 3.6.8.
CVE-2022-2268 has a severity rating of 7.2, which is considered high.
CVE-2022-2268 allows high privilege users, such as admin, to upload an arbitrary file, leading to remote code execution (RCE).
Versions up to and excluding 3.6.8 of the Import any XML or CSV File to WordPress plugin are affected by CVE-2022-2268.
Yes, you can find more information about CVE-2022-2268 at this reference: https://wpscan.com/vulnerability/578093db-a025-4148-8c4b-ec2df31743f7