The plugin uses the contents of the cc_sql POST parameter directly as a database query, allowing users which has been given permission to run exports to execute arbitrary SQL statements, leading to a SQL Injection vulnerability. By default only users with the Administrator role can perform exports, but this can be delegated to lower privileged users as well.
CPE | Name | Operator | Version |
---|---|---|---|
wp-all-export-pro | lt | 1.7.9 |