CVE-2024-7425
Published: 07 February 2025
Description
The WP ALL Export Pro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to improper user input validation and sanitization in all versions up to, and including, 1.9.1. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Security Summary
CVE-2024-7425 is a vulnerability in the WP ALL Export Pro plugin for WordPress that allows unauthorized modification of data, leading to privilege escalation. It stems from improper user input validation and sanitization in all versions up to and including 1.9.1. The issue, classified under CWE-94 (Code Injection), has a CVSS v3.1 base score of 6.8 (AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H) and was published on 2025-02-07.
Authenticated attackers with Shop Manager-level access or higher can exploit this vulnerability over the network with low complexity, though it requires user interaction. By updating arbitrary WordPress options, they can, for example, change the default role for new user registrations to administrator and enable user registration. This enables the attackers to create administrative accounts and gain full control over the vulnerable site.
Advisories from Wordfence detail the vulnerability and recommend mitigation through updating the plugin, as indicated by the official upgrade page from WP All Import. Security practitioners should ensure sites running affected versions upgrade promptly to patched releases to prevent exploitation.
Details
- CWE(s)