Name of the Vulnerable Software and Affected Versions:

WP Import Export Lite plugin for WordPress versions up to and including 3.9.29

Description:

The WP Import Export Lite plugin for WordPress is susceptible to arbitrary file uploads because of a lack of file type validation within the `wpie parse upload data` function. This allows authenticated attackers with Subscriber-level access or higher, and permissions granted by an Administrator, to upload arbitrary files to the affected server, potentially leading to remote code execution. The vulnerability was partially addressed in version 3.9.29.

Recommendations:

Versions prior to 3.9.29 should be updated. As a temporary workaround, restrict file upload permissions for users with Subscriber-level access and below.