WordPress · Wp Import Export · CVE-2022-0236
**Name of the Vulnerable Software and Affected Versions**
WP Import Export WordPress plugin versions up to, and including, 3.9.15
**Description**
The issue is related to unauthenticated sensitive data disclosure due to a missing capability check on the `wpie process file download` function found in the `~/includes/classes/class-wpie-general.php` file. This allows unauthenticated attackers to download any imported or exported information from a vulnerable site, which can contain sensitive information like user data.
**Recommendations**
For versions up to, and including, 3.9.15, update to a version higher than 3.9.15 to resolve the issue.
As a temporary workaround, consider disabling the `wpie process file download` function until a patch is available.