Lucene search
MoresecWPEX-ID:578093DB-A025-4148-8C4B-EC2DF31743F7HistoryJul 01, 2022 - 12:00 a.m.
WP All Import < 3.6.8 - Admin+ Arbitrary File Upload
2022-07-0100:00:00
moresec
114
arbitrary file upload
admin access
php file upload
xml file upload
managed imports
source code analysis
file location
EPSS
0.001
Percentile
42.9%
The plugin accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE
As an admin upload a php file containing the palyload zipped along with a valid XML file via the New Import Upload page of the plugin:
https://example.com//wp-admin/admin.php?page=pmxi-admin-import
When the upload finishes you'll be able to find the random directory it was sent to by checking the links on the source code of the Managed Imports page:
http://example.com/wp-admin/admin.php?page=pmxi-admin-manage
The file will be located at something like:
https://example.com/wp-content/uploads/wpallimport/uploads/f8ac124b335362e2faed2da06d2123d5/folder/filename.phpRelated
openvas
openvas
nvd
nvd
CVE-2022-2268
2022-07-04 13:15:08
cnvd
cnvd
cvelist
cvelist
CVE-2022-2268 WP All Import < 3.6.8 - Admin+ Arbitrary File Upload
2022-07-04 13:06:04
cve
cve
CVE-2022-2268
2022-07-04 13:15:08
wpvulndb
wpvulndb
WP All Import < 3.6.8 - Admin+ Arbitrary File Upload
2022-07-01 00:00:00
prion
prion
Design/Logic Flaw
2022-07-04 13:15:00