CVE-2022-2711

Name of the Vulnerable Software and Affected Versions Import any XML or CSV File to WordPress plugin versions prior to 3.6.9

Description The issue allows highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector. This is due to the plugin not validating the paths of files contained in uploaded zip archives.

Recommendations For versions prior to 3.6.9, update to version 3.6.9 or later to resolve the issue. As a temporary workaround, consider restricting the upload of zip archives or limiting the privileges of users who can upload files to minimize the risk of exploitation.