CVE-2022-0236 HIGH

CVE-2022-0236: WP Import Export (Lite) <= 3.9.15 Unauthenticated Sensitive Data Disclosure

Vendor Vjinfotech
Product WP Import Export
Weakness CWE-862 · Missing authorization
Published January 18, 2022
Last update January 31, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The WP Import Export WordPress plugin (both free and premium versions) is vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpie_process_file_download found in the ~/includes/classes/class-wpie-general.php file. This made it possible for unauthenticated attackers to download any imported or exported information from a vulnerable site which can contain sensitive information like user data. This affects versions up to, and including, 3.9.15.

Key dates

02Disclosure timeline

January 18, 2022 CVE published
January 31, 2025 Record updated

Related vulnerabilities

04Related CVE