CVE-2018-16257

Name of the Vulnerable Software and Affected Versions WP All Import plugin version 3.4.9

Description The issue concerns multiple XSS vulnerabilities. These can be accessed via the "action=template" endpoint. It's worth noting that the vendor disputes this being a vulnerability, citing that WP All Import can only be used by a logged-in administrator, and the described action can only be exploited by someone with administrative login credentials.

Recommendations For WP All Import plugin version 3.4.9, consider restricting access to the action=template endpoint to minimize the risk of exploitation. As a temporary workaround, review and limit administrative access to the plugin until a resolution or further guidance is provided. At the moment, there is no information about a newer version that contains a fix for this issue.