We recently completed a security audit of WP All Import and WP All Export and uncovered several issues that have now been patched. We recommend updating to the latest versions as soon as possible.
What’s been released and what does it fix?
WP All Import Pro 4.9.8 and WP All Import Free 3.8.0
- CVE-2024-8722: Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload
- CVE-2024-9664: Authenticated (Administrator+) PHP Object Injection via Import File
- CVE-2024-9661: Cross-Site Request Forgery to Imported Content Deletion
WP All Export Pro 1.9.2
- CVE-2024-7425: Authenticated (Shop Manager+) Remote Code Execution
- CVE-2024-7419: Unauthenticated Remote Code Execution via Custom Export Fields
Note: The free version of WP All Export is unaffected by these vulnerabilities.
Detailed Overview of Vulnerabilities
CVE-2024-7425: Authenticated (Shop Manager+) Remote Code Execution
Someone granted permissions to manage WooCommerce products must enter malicious code into one or more Product fields. Those products with malicious code must then be processed by a Google Merchant Center export. This has the potential for privilege escalation and site takeover by someone with permissions to manage WooCo products.
CVE-2024-7419: Unauthenticated Remote Code Execution via Custom Export Fields
The site must have malicious data stored in a custom field. That could be from WooCommerce Orders (address fields, for example) but any user supplied field from any post/data type would work. If that code is crafted correctly then it could be executed when an export is run. The export must be configured to include the field containing the malicious code via the ‘Custom export field’ feature. This has the potential for site takeover if all conditions are met.
CVE-2024-9661: Cross-Site Request Forgery to Imported Content Deletion
A request sent to the proper endpoint could cause the data previously imported by the targeted import to be deleted or the history for the targeted import to be deleted.
CVE-2024-9664: Authenticated (Administrator+) PHP Object Injection via Import File
A logged in Administrator must cause a serialized string containing a malicious PHP Object to be imported, which could then lead to code execution if there is an additional POP Chain present in the site. It is useful to note that WordPress’ maybe_unserialize() function has the same potential for exploitation for any malicious PHP objects serialized in the database. And of course, if someone with access to WP All Import would like to execute PHP code we have variety of methods described in our documentation: https://www.wpallimport.com/documentation/custom-code-overview/.
CVE-2024-8722: Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload
A logged in Administrator must run an import that contains a SVG file loaded with some sort of malicious JavaScript payload. That JavaScript will run when the SVG is viewed. It’s only exploitable by the Administrator themselves whether via intentional SVG creation and import or via importing data containing malicious SVG files.
Questions & Answers
Has anyone been hacked by any of these?
To the best of our knowledge, none of these vulnerabilities have been exploited maliciously. No user has reported a site being compromised due to these issues. However, it’s common for malicious actors to begin to scan for sites running older versions of plugins that are susceptible to the vulnerabilities. While the nature of these vulnerabilities makes them unsuitable for mass exploitation, we strongly advise you to update as soon as possible.
What if my site was already hacked? Should I be scared?
This vulnerability has existed in WP All Import and WP All Export for a very long time. We've never heard a single report of it being exploited maliciously. It was brought to our attention by a security researcher, not a malicious hacker. If your site is or was recently hacked, it is highly unlikely that these vulnerabilities were the cause. If you believe that you were hacked as a result of these vulnerabilities, feel free to get in touch and we’ll see if we can see if any of these CVEs were involved.
How do I install the update?
- Back up your site. Always back up before making significant changes or updating plugins.
- Update from your WP Admin Dashboard. Visit Plugins > Installed Plugins, locate WP All Import / WP All Export, and click Update (if available).
- Manual update (if needed):
- Deactivate and delete the old plugin version from your WordPress dashboard. (Don’t worry—your imports/exports, templates, and settings remain in your database.)
- Download the newest version from your Customer Portal (Pro) or from WordPress.org (Free).
- Install and activate the new version.
Special thanks to Francesco for working with us on the audit.