Server-Side Request Forgery Vulnerability in WP Import Export Lite by WordPress
CVE-2026-11397
5.5MEDIUM
What is CVE-2026-11397?
The WP Import Export Lite plugin for WordPress contains a security vulnerability that allows authenticated users with administrator-level access to exploit server-side request forgery (SSRF). This issue arises when the plugin's URL downloader fails to appropriately handle messages from internal networks. When a request leads to a WP_Error response due to blocked internal hosts, the plugin incorrectly resorts to an unrestricted external URL request, circumventing SSRF protections. As a result, attackers can send requests to arbitrary locations, potentially exposing internal resources like the cloud metadata endpoint.
Affected Version(s)
WP Import Export Lite 0 <= 3.9.30