CVE-2024-7419

Name of the Vulnerable Software and Affected Versions WP ALL Export Pro plugin for WordPress versions up to, and including, 1.9.1

Description The issue is related to the lack of input validation and sanitization of user-supplied data in the custom export fields. This allows unauthenticated attackers to inject arbitrary PHP code into form fields that get executed on the server during the export, potentially leading to a complete site compromise. The custom export field must include fields containing user-supplied data for this issue to occur.

Recommendations For WP ALL Export Pro plugin for WordPress versions up to, and including, 1.9.1, update to a version higher than 1.9.1 to resolve the issue. As a temporary workaround, consider disabling the custom export fields until a patch is available. Restrict access to the custom export fields to minimize the risk of exploitation. Avoid using the custom export fields that contain user-supplied data until the issue is resolved.