CVE-2022-1273
📋 TL;DR
The Import WP WordPress plugin before version 2.4.6 contains an arbitrary file upload vulnerability that allows authenticated administrators to upload malicious files, including PHP scripts, leading to remote code execution. This affects WordPress sites using the vulnerable plugin version, requiring admin-level access for exploitation.
💻 Affected Systems
- Import WP WordPress Plugin
📦 What is this software?
Import Wp by Importwp
⚠️ Risk & Real-World Impact
Worst Case
An attacker with compromised admin credentials could upload a web shell, gain full control of the WordPress server, and potentially pivot to other systems on the network.
Likely Case
Malicious administrators or attackers who have compromised admin accounts upload PHP backdoors to maintain persistence and execute arbitrary commands on the server.
If Mitigated
With proper access controls and file upload restrictions, the impact is limited to the WordPress installation directory, but still allows code execution within that context.
🎯 Exploit Status
Exploitation requires admin credentials but is straightforward once authenticated. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.6
Vendor Advisory: https://wpscan.com/vulnerability/ad99b9ba-5f24-4682-a787-00f0e8e32603
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Import WP' plugin. 4. Click 'Update Now' if available, or manually update to version 2.4.6 or later. 5. Verify the plugin version after update.
🔧 Temporary Workarounds
Disable Import WP Plugin
allTemporarily disable the vulnerable plugin until patching is possible
wp plugin deactivate import-wp
Restrict File Uploads
linuxConfigure web server to block PHP file uploads in WordPress upload directories
Add 'deny from all' to .htaccess in wp-content/uploads/import-wp/ directory
🧯 If You Can't Patch
- Remove admin access from untrusted users and implement strong password policies
- Implement web application firewall rules to block file uploads with PHP extensions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Import WP version. If version is below 2.4.6, the system is vulnerable.Check Version:
wp plugin get import-wp --field=versionVerify Fix Applied:
Confirm Import WP plugin version is 2.4.6 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- File uploads to /wp-content/uploads/import-wp/ directory
- POST requests to /wp-admin/admin.php?page=import-wp with file upload parameters
- Execution of unexpected PHP files in upload directories
Network Indicators:
- HTTP POST requests with file uploads to import functionality
- Subsequent requests to uploaded PHP files in upload directories
SIEM Query:
source="web_access_logs" AND (uri_path="/wp-admin/admin.php" AND query_string="*page=import-wp*" AND method="POST") OR (uri_path="/wp-content/uploads/import-wp/*.php")