Wp All Import Pro
Approved changes feed: RSS · Atom
cpe:2.3:a:soflyy:wp_all_import_pro:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Soflyy (87a26a9e-acd4-5262-bca3-fa77ab4eb5d0) |
|---|---|
| Product | Wp All Import Pro (dc92785e-89d7-5064-9359-25f38eb006b6) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2024-9664 |
vulnerable | 2026-06-03 14:58:22.334205 |
WP All Import Pro <= 4.9.7 - Authenticated (Administrator+) PHP Object Injection via Import File
HIGH (7.2)
The WP All Import Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.7 via deserialization of untrusted input from an import file. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Published: 2025-02-07T15:21:04.505Z
Updated: 2026-04-08T16:32:20.720Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9661 |
vulnerable | 2026-06-03 14:58:22.330209 |
WP All Import Pro <= 4.9.7 - Cross-Site Request Forgery to Imported Content Deletion
MEDIUM (4.3)
The WP All Import Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.7. This is due to missing nonce validation on the delete_and_edit function. This makes it possible for unauthenticated attackers to delete imported content (posts, comments, users, etc.) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-02-07T15:21:05.450Z
Updated: 2026-04-08T17:17:18.435Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9624 |
vulnerable | 2026-06-03 14:58:22.257285 |
WP All Import Pro <= 4.9.3 - Authenticated (Administrator+) Server-Side Request Forgery via File Import
HIGH (7.6)
The WP All Import Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.9.3 due to missing SSRF protection on the pmxi_curl_download function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On cloud platforms, it might allow attackers to read the Instance metadata.
Published: 2024-12-17T05:23:40.625Z
Updated: 2026-04-08T17:31:05.097Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-8722 |
vulnerable | 2026-06-03 14:58:19.242930 |
WP All Import Pro <= 4.9.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload
MEDIUM (5.5)
The Import any XML or CSV File to WordPress PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Published: 2025-01-19T04:21:13.279Z
Updated: 2026-04-08T17:27:39.131Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.