CVE-2022-0236

Published: Jan 18, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The WP Import Export WordPress plugin (both free and premium versions) is vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpie_process_file_download found in the ~/includes/classes/class-wpie-general.php file. This made it possible for unauthenticated attackers to download any imported or exported information from a vulnerable site which can contain sensitive information like user data. This affects versions up to, and including, 3.9.15.

Affected (2)

Products: Vjinfotech: Wp Import Export, Wp Import Export Lite

2 products

Wp Import Export

Wp Import Export Lite

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Vjinfotech Wp Import Export	Up to 3.9.15
Vjinfotech Wp Import Export Lite	Up to 3.9.15

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (6)

https://github.com/qurbat/CVE-2022-0236

Source: security@wordfence.com

ExploitThird Party Advisory

https://plugins.trac.wordpress.org/changeset/2649762/wp-import-export-lite/trunk/includes/classes/class-wpie-general.php

Source: security@wordfence.com

PatchThird Party Advisory

https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0236

Source: security@wordfence.com

Third Party Advisory

https://github.com/qurbat/CVE-2022-0236

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://plugins.trac.wordpress.org/changeset/2649762/wp-import-export-lite/trunk/includes/classes/class-wpie-general.php

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0236

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.