CVE-2022-1565

WP All Import plagini 3.6.7 gacha bo'lgan versiyalarda wp_all_import_get_gz.php fayli orqali fayl turini tekshirish yo'qligi sababli o'zboshimchalik bilan fayllarni yuklashda zaifdir. Bu administrator va undan yuqori darajadagi ruxsatlarga ega autentifikatsiya qilingan tajovuzkorlarga ta'sirlangan saytlar serveriga o'zboshimchalik bilan fayllarni yuklash imkonini beradi, bu esa masofaviy kodni bajarishga imkon beradi.

CVSS Vector

Manbalar

• https://plugins.trac.wordpress.org/changeset/2749264/wp-all-import/trunk?contextall=1&old=2737093&old_path=%2Fwp-all-import%2Ftrunk
• https://www.wordfence.com/threat-intel/vulnerabilities/id/5d281333-d9af-4eb7-bc5c-ea7ceeddac03?source=cve
• https://www.wordfence.com/vulnerability-advisories/#CVE-2022-1565
• https://plugins.trac.wordpress.org/changeset/2749264/wp-all-import/trunk?contextall=1&old=2737093&old_path=%2Fwp-all-import%2Ftrunk
• https://www.wordfence.com/threat-intel/vulnerabilities/id/5d281333-d9af-4eb7-bc5c-ea7ceeddac03?source=cve