CVE-2022-0236
📋 TL;DR
This vulnerability in the WP Import Export WordPress plugin allows unauthenticated attackers to download any imported or exported data from vulnerable sites. This can expose sensitive information including user data, passwords, and other confidential content. All WordPress sites using affected plugin versions are at risk.
💻 Affected Systems
- WP Import Export WordPress Plugin (Free and Premium)
📦 What is this software?
Wp Import Export by Vjinfotech
⚠️ Risk & Real-World Impact
Worst Case
Complete data breach exposing all imported/exported data including user credentials, personal information, and site configuration, potentially leading to account takeover and further compromise.
Likely Case
Exposure of sensitive user data, configuration files, and potentially administrative credentials stored in exports.
If Mitigated
Limited impact if no sensitive data has been imported/exported, but plugin functionality remains compromised.
🎯 Exploit Status
Simple HTTP request to vulnerable endpoint. Public exploit code available on GitHub.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.16 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2649762/wp-import-export-lite/trunk/includes/classes/class-wpie-general.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find WP Import Export plugin
4. Click 'Update Now' if available
5. If no update available, download version 3.9.16+ from WordPress repository
6. Deactivate, delete old version, upload and activate new version
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate wp-import-export-lite
Web Application Firewall Rule
linuxBlock access to vulnerable endpoint
LocationMatch "\/wp-content\/plugins\/wp-import-export-lite\/includes\/classes\/class-wpie-general\.php"
Deny from all
🧯 If You Can't Patch
- Disable WP Import Export plugin immediately
- Implement web application firewall rules to block access to /wp-content/plugins/wp-import-export-lite/includes/classes/class-wpie-general.php
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin panel under Plugins → Installed Plugins. If WP Import Export version is 3.9.15 or lower, site is vulnerable.Check Version:
wp plugin list --name=wp-import-export-lite --field=versionVerify Fix Applied:
Verify plugin version is 3.9.16 or higher. Test by attempting to access /wp-content/plugins/wp-import-export-lite/includes/classes/class-wpie-general.php?wpie_download=true - should return 403 or similar error.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-content/plugins/wp-import-export-lite/includes/classes/class-wpie-general.php with wpie_download parameter
- Large file downloads from plugin directory by unauthenticated users
Network Indicators:
- Unusual spikes in traffic to plugin files
- Data exfiltration patterns from WordPress sites
SIEM Query:
source="web_logs" AND uri_path="/wp-content/plugins/wp-import-export-lite/includes/classes/class-wpie-general.php" AND query_string="*wpie_download*"🔗 References
- https://github.com/qurbat/CVE-2022-0236
- https://plugins.trac.wordpress.org/changeset/2649762/wp-import-export-lite/trunk/includes/classes/class-wpie-general.php
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0236
- https://github.com/qurbat/CVE-2022-0236
- https://plugins.trac.wordpress.org/changeset/2649762/wp-import-export-lite/trunk/includes/classes/class-wpie-general.php
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-0236
