CVE-2026-4328

Name of the Vulnerable Software and Affected Versions Advanced Import versions prior to 1.4.7

Description Server-Side Request Forgery (SSRF) occurs when the plugin uses the wp remote get() function to fetch a user-supplied URL without validating that the destination does not point to internal or private network resources. This issue is located within the demo download and unzip() function. Specifically, when the demo file type is set to 'url', the demo file parameter from $ POST is processed via sanitize text field()—which only prevents cross-site scripting (XSS)—and passed directly to the request function. Authenticated attackers with Author-level access or higher (possessing the upload files capability) can leverage this to make web requests to arbitrary locations from the application, potentially querying and viewing data from internal services or cloud instance metadata endpoints.

Recommendations Update to a version later than 1.4.6. As a temporary workaround, restrict access for users with Author-level permissions or disable the demo download and unzip() function until the update is applied.