Import any XML or CSV File to WordPress <= 3.2.3 - RCE

ID WPVDB-ID:87C4B6BD-D417-452B-981B-FD7D715D4850
Type wpvulndb
Reporter James Golovich
Modified 2020-09-22T06:03:48


WP All Import does not properly verify that a user has permission to execute functions. Coupled with an interesting method that allows arbitrary functions in specific objects to be called allows this to be leveraged in many ways.