Server-Side Request Forgery Vulnerability in WP Import Export Lite by WordPress
CVE-2026-11397

5.5MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
3 July 2026

What is CVE-2026-11397?

The WP Import Export Lite plugin for WordPress contains a security vulnerability that allows authenticated users with administrator-level access to exploit server-side request forgery (SSRF). This issue arises when the plugin's URL downloader fails to appropriately handle messages from internal networks. When a request leads to a WP_Error response due to blocked internal hosts, the plugin incorrectly resorts to an unrestricted external URL request, circumventing SSRF protections. As a result, attackers can send requests to arbitrary locations, potentially exposing internal resources like the cloud metadata endpoint.

Affected Version(s)

WP Import Export Lite 0 <= 3.9.30

References

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

밥김국
.