Tuesday, 2 April 2019

CVE-2018-16254 to CVE-2018-16259 - XSS in Import any XML or CSV File for WordPress

Exploit Author: Mohammed Ansari S ( ansaert@gmail.com )
Date: August 21 2018
Affected Version: 3.4.9
Active installations: 100,000+
Plugin: https://wordpress.org/plugins/wp-all-import/

POC will be disclosed once it fixed. Waiting for developer approval.

1 comment:

  1. Hi there,

    My hosting partner uses comodo so my WPallimport isn’t working as supposed due to the WAV rule. I asked Softly to comment in the message above and this is their answer:
    We have reviewed these and determined that they can only be taken advantage of by a logged in administrator. This part of both of the reports is 100% false:

    A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

    The "custom_type" and "large_feed_limit" parameters that they're referring to are in the POST variable, which you can't pass data to by crafting a link for an admin to click. The HTML/script code would have to be knowingly submitted in a form that can only be accessed by a logged in administrator.

    An administrator can do anything they want to a site, and this "vulnerability" can only be exploited intentionally and by an administrator, so it is not something that should be worried about or fixed.

    Best Regards,

    It’s very important for me that wpai is working again and i’m stuck between the hoster, who obviously doesn’t want to delete the WAV rule, the developer, who claims that there is No vulnerability and Comodo that blocks my import command.

    I hope the info above is enough for comodo to delete the rule gasinstallatie wpai. If not please can you contact wpai? support@wpallimport.com

    Thank you so much.