WP All Export Pro < 1.7.9 - Authenticated SQLi
CVE-2022-3395

8.8HIGH

Key Information:

Vendor: Wordpress
Status: WP All Export Pro
Vendor: CVE Published:; 25 October 2022

Summary

The WP All Export Pro WordPress plugin before 1.7.9 uses the contents of the cc_sql POST parameter directly as a database query, allowing users which has been given permission to run exports to execute arbitrary SQL statements, leading to a SQL Injection vulnerability. By default only users with the Administrator role can perform exports, but this can be delegated to lower privileged users as well.

Affected Version(s)

WP All Export Pro 1.7.9

References

https://wpscan.com/vulnerability/10742154-368a-40be-a67d-...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 25, 2022
Vulnerability Reserved
Oct 3, 2022

Credit

Sanjay Das