CVE-2023-4724 — Code Injection in Export ANY Wordpress Data TO XML CSV

CWE-94 — Code Injection3 documents3 sources

Severity

7.2HIGHNVD

EPSS

1.0%

top 22.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Soflyy Export ANY Wordpress Data TO XML CSV Soflyy WP ALL Export

Timeline

PublishedDec 18

Description

The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not validate and sanitise the `wp_query` parameter which allows an attacker to run arbitrary command on the remote server

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDsoflyy/export_any_wordpress_data_to_xml_csv< 1.4.0

▶NVDsoflyy/wp_all_export< 1.8.6

🔴Vulnerability Details

CVEList

WP All Export (Free < 1.4.0, Pro < 1.8.6) - Admin+ RCE↗2023-12-18

▶

GHSA

GHSA-gj3x-fvqg-gcjm: The Export any WordPress data to XML/CSV WordPress plugin before 1↗2023-12-18

▶