An Arbitrary File Upload vulnerability has been identified in the WordPress Export Import Menus Plugin. This vulnerability allows an attacker to upload any type of file to the affected website, including malicious files that could be used to take control of the website.
This vulnerability was discovered and responsibly reported by Emili Castells.
The vulnerability is an Arbitrary File Upload vulnerability that occurs in the export-import-menus.php file. The vulnerability allows an attacker to upload arbitrary files to the website by specifying a specially crafted URL.
The vendor has not yet released a patched version of the plugin. Users are advised to uninstall the plugin until a patched version is available.
Severity:
The vulnerability has a CVSS 3.1 score of 9.9, which is considered to be critical. This means that the vulnerability is highly exploitable and could have a significant impact on the affected system.
Affected Versions:
The vulnerability affects all versions of the Export Import Menus Plugin prior to 1.8.0.
Impact:
An attacker who successfully exploits this vulnerability could upload any type of file to the affected website, such as:
- Backdoors
- Viruses
- Phishing scripts
This malicious code could then be executed by visitors to the website, potentially leading to a variety of security risks, such as:
- Stealing personal information
- Damaging the website’s files or database
- Taking control of the website
Recommendation:
Take the following action to protect the websites:
- Uninstall the Plugin: Users of the Export Import Menus Plugin are strongly advised to uninstall the plugin until a patched version is available.
- Stay Updated: Stay informed about official updates or advisories related to the Export Import Menus Plugin.
- Enhance Security Measures: Strengthen your website’s security measures by implementing robust authentication protocols, access controls, and regular security audits.
