CVE-2023-7082

Name of the Vulnerable Software and Affected Versions Import any XML or CSV File to WordPress plugin versions prior to 3.7.3

Description The issue allows high privilege users, such as administrators, to upload executable file types, potentially leading to remote code execution. This is due to the plugin accepting all zip files and automatically extracting them into a publicly accessible directory without sufficiently validating the extracted file type.

Recommendations For versions prior to 3.7.3, update to version 3.7.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the zip file upload feature to minimize the risk of exploitation.