vulnerability
WordPress Plugin: wp-all-export-pro: CVE-2024-7419: Improper Control of Generation of Code ('Code Injection')
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:H/Au:N/C:C/I:C/A:C) | Feb 7, 2025 | May 15, 2025 | May 15, 2025 |
Severity
8
CVSS
(AV:N/AC:H/Au:N/C:C/I:C/A:C)
Published
Feb 7, 2025
Added
May 15, 2025
Modified
May 15, 2025
Description
The WP ALL Export Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.9.1 via the custom export fields. This is due to the missing input validation and sanitization of user-supplied data. This makes it possible for unauthenticated attackers to inject arbitrary PHP code into form fields that get executed on the server during the export, potentially leading to a complete site compromise.
As a prerequisite, the custom export field should include fields containing user-supplied data.
As a prerequisite, the custom export field should include fields containing user-supplied data.
Solution
wp-all-export-pro-plugin-cve-2024-7419
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.