CVE-2022-3418

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

T

he Import any XML or CSV File to WordPress plugin before 3.6.9 is not properly filtering which file extensions are allowed to be imported on the server, which could allow administrators in multi-site WordPress installations to upload arbitrary files

References

Link	Resource
https://wpscan.com/vulnerability/ccbb74f5-1b8f-4ea6-96bc-ddf62af7f94d	Exploit Third Party Advisory
https://wpscan.com/vulnerability/ccbb74f5-1b8f-4ea6-96bc-ddf62af7f94d	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:soflyy:wp_all_import:*:*:*:*:*:wordpress:*:*

History

21 Nov 2024, 07:19

Type	Values Removed	Values Added
References	~~() https://wpscan.com/vulnerability/ccbb74f5-1b8f-4ea6-96bc-ddf62af7f94d - Exploit, Third Party Advisory~~	() https://wpscan.com/vulnerability/ccbb74f5-1b8f-4ea6-96bc-ddf62af7f94d - Exploit, Third Party Advisory

Information

Published : 2022-11-07 10:15

Updated : 2025-05-01 21:15

NVD link : CVE-2022-3418

Mitre link : CVE-2022-3418

CVE.ORG link : CVE-2022-3418

JSON object : View

Products Affected

wp_all_import

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2022-3418", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2022-11-07T10:15:11.647", "references": [{"url": "https://wpscan.com/vulnerability/ccbb74f5-1b8f-4ea6-96bc-ddf62af7f94d", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://wpscan.com/vulnerability/ccbb74f5-1b8f-4ea6-96bc-ddf62af7f94d", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-94"}]}, {"type": "Primary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "The Import any XML or CSV File to WordPress plugin before 3.6.9 is not properly filtering which file extensions are allowed to be imported on the server, which could allow administrators in multi-site WordPress installations to upload arbitrary files"}, {"lang": "es", "value": "El complemento Importar cualquier archivo XML o CSV a WordPress anterior a 3.6.9 no filtra correctamente qu\u00e9 extensiones de archivo se pueden importar en el servidor, lo que podr\u00eda permitir a los administradores de instalaciones de WordPress en varios sitios cargar archivos arbitrarios."}], "lastModified": "2025-05-01T21:15:50.940", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:soflyy:wp_all_import:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "AC5FEDCB-4B80-44FE-9AE2-60C4CA4DB7CE", "versionEndExcluding": "3.6.9"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}