CVE-2024-7419

CVE-2024-7419 is a remote code execution (RCE) vulnerability affecting the WP ALL Export Pro plugin for WordPress in all versions up to and including 1.9.1. The flaw stems from missing input validation and sanitization of user-supplied data in custom export fields, classified under CWE-94 (Code Injection). It carries a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating high severity due to its potential for network-based exploitation with scope change and high impacts across confidentiality, integrity, and availability.

Unauthenticated attackers (PR:N) can exploit this vulnerability by injecting arbitrary PHP code into form fields containing user-supplied data, provided the custom export field includes such fields as a prerequisite. The attack requires high complexity (AC:H) and user interaction (UI:R), such as a site administrator triggering the export process. Successful exploitation leads to PHP code execution on the server, potentially resulting in complete site compromise.

Advisories from Wordfence detail the vulnerability in their threat intelligence report, while the plugin vendor at WP All Import recommends upgrading to a patched version of WP ALL Export Pro beyond 1.9.1 to mitigate the issue. Security practitioners should verify and apply updates promptly, especially for sites using custom export configurations with user-supplied data.