The WP All Export Pro WordPress plugin prior to 1.7.9 uses the contents of the cc_sql POST parameter directly as a database query, allowing users which has been given permission to run exports to execute arbitrary SQL statements, leading to a SQL Injection vulnerability. By default only users with the Administrator role can perform exports, but this can be delegated to lower privileged users as well.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
soflyy wp all export |