CVE-2022-1565
📋 TL;DR
The WP All Import WordPress plugin up to version 3.6.7 contains a vulnerability that allows authenticated attackers with administrator-level permissions to upload arbitrary files via the wp_all_import_get_gz.php file due to missing file type validation. This can lead to remote code execution on affected WordPress sites. Only WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- WP All Import WordPress Plugin
📦 What is this software?
Wp All Import by Wpallimport
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution, allowing attackers to install backdoors, steal data, deface websites, or use the server for malicious activities.
Likely Case
Attackers upload web shells or malicious scripts to gain persistent access, execute arbitrary commands, and potentially pivot to other systems.
If Mitigated
No impact if proper access controls, file upload restrictions, and security monitoring are in place.
🎯 Exploit Status
Exploitation requires administrator credentials but is technically simple once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.8 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/2749264/wp-all-import/trunk
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP All Import. 4. Click 'Update Now' if available, or download version 3.6.8+ from WordPress.org. 5. Replace the plugin files manually if automatic update fails.
🔧 Temporary Workarounds
Remove vulnerable file
linuxDelete or rename the vulnerable wp_all_import_get_gz.php file to prevent exploitation
rm /path/to/wp-content/plugins/wp-all-import/wp_all_import_get_gz.php
Restrict file uploads
allImplement web application firewall rules to block suspicious file uploads to the plugin directory
🧯 If You Can't Patch
- Disable or remove the WP All Import plugin entirely
- Implement strict access controls and monitoring for administrator accounts
🔍 How to Verify
Check if Vulnerable:
Check if wp_all_import_get_gz.php exists in /wp-content/plugins/wp-all-import/ and verify plugin version is 3.6.7 or earlierCheck Version:
grep -r 'Version:' /path/to/wp-content/plugins/wp-all-import/wp-all-import.php | cut -d: -f2Verify Fix Applied:
Confirm wp_all_import_get_gz.php file has been removed or modified, and plugin version shows 3.6.8 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /wp-content/plugins/wp-all-import/
- POST requests to wp_all_import_get_gz.php with suspicious file extensions
- Administrator account login from unusual locations
Network Indicators:
- HTTP requests containing file uploads to the vulnerable endpoint
- Traffic patterns suggesting web shell communication
SIEM Query:
source="web_logs" AND (uri="/wp-content/plugins/wp-all-import/wp_all_import_get_gz.php" OR uri CONTAINS "wp_all_import_get_gz") AND (method="POST" OR file_extension IN ["php", "jsp", "asp", "exe"])🔗 References
- https://plugins.trac.wordpress.org/changeset/2749264/wp-all-import/trunk?contextall=1&old=2737093&old_path=%2Fwp-all-import%2Ftrunk
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5d281333-d9af-4eb7-bc5c-ea7ceeddac03?source=cve
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1565
- https://plugins.trac.wordpress.org/changeset/2749264/wp-all-import/trunk?contextall=1&old=2737093&old_path=%2Fwp-all-import%2Ftrunk
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5d281333-d9af-4eb7-bc5c-ea7ceeddac03?source=cve
- https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1565
