CVE-2024-8722
📋 TL;DR
This vulnerability allows authenticated WordPress administrators to upload malicious SVG files containing stored XSS payloads through the Import any XML or CSV File to WordPress PRO plugin. When users access these uploaded SVG files, arbitrary JavaScript executes in their browsers. Only WordPress sites using vulnerable versions of this specific plugin are affected.
💻 Affected Systems
- Import any XML or CSV File to WordPress PRO (WP All Import Pro)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to full site takeover, data theft, credential harvesting, or malware distribution to site visitors.
Likely Case
Privileged administrator injects malicious scripts affecting other administrators or users, potentially stealing session cookies or performing actions on their behalf.
If Mitigated
Limited to administrators who intentionally upload malicious files, with minimal impact if proper content security policies and user education are in place.
🎯 Exploit Status
Exploitation requires administrator credentials. Attack involves uploading specially crafted SVG files with JavaScript payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9.8 or later
Vendor Advisory: https://www.wpallimport.com/downloads/wp-all-import-annual/?changelog=1
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WP All Import Pro' and check if update is available. 4. Click 'Update Now' or manually update to version 4.9.8+. 5. Verify plugin version in plugin details.
🔧 Temporary Workarounds
Disable SVG uploads via .htaccess
allPrevent SVG file uploads at web server level
Add to .htaccess: <FilesMatch "\.svg$">
Order Allow,Deny
Deny from all
</FilesMatch>
Implement Content Security Policy
allAdd CSP header to prevent script execution from uploaded files
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
For Nginx: add_header Content-Security-Policy "default-src 'self'; script-src 'self';";
🧯 If You Can't Patch
- Temporarily disable the WP All Import Pro plugin
- Restrict administrator accounts to trusted personnel only and monitor upload activity
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → WP All Import Pro version. If version is 4.9.7 or lower, you are vulnerable.Check Version:
WordPress CLI: wp plugin list --name="wp-all-import-pro" --field=versionVerify Fix Applied:
Confirm plugin version is 4.9.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file uploads by administrators
- Multiple SVG uploads in short timeframes
- Uploads with suspicious filenames or sizes
Network Indicators:
- Requests to SVG files with query parameters
- SVG files serving JavaScript content
SIEM Query:
source="wordpress" AND (event="plugin_upload" OR file_extension="svg") AND user_role="administrator"