CVE-2024-13232
Published: 05 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-13232 is an arbitrary SQL execution and privilege escalation vulnerability in the WordPress Awesome Import & Export Plugin, also referred to as the Import & Export WordPress Data plugin for WordPress. The issue arises from a missing capability check in the renderImport() function, affecting all versions up to and including 4.1.1. It is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Authenticated attackers with Subscriber-level access or higher can exploit the vulnerability over the network with low complexity and no user interaction. By calling the renderImport() function, they can execute arbitrary SQL statements, which can be leveraged to create a new administrative user account, potentially granting full control over the WordPress site.
Advisories and further details are available from Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/f24f0673-b5c8-4086-8795-692228a413af?source=cve and the plugin's CodeCanyon page at https://codecanyon.net/item/wordpress-awesome-import-export-plugin-v-24/12896266. Security practitioners should review these sources for patch information and mitigation guidance.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability is a missing authorization check enabling arbitrary SQL execution in a public-facing WordPress plugin, directly facilitating privilege escalation via creation of admin accounts (T1068) and exploitation of the web application (T1190).