PT-2026-55493 · WordPress · Wp Import Export Lite
Ddadd
+1
·
Published
2026-07-03
·
Updated
2026-07-03
·
CVE-2026-11397
CVSS v3.1
5.5
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
WP Import Export Lite versions prior to 3.9.31
Description
An issue exists in the
wpie import upload file from url AJAX action. The plugin initially uses wp safe remote get() to download files, which blocks private IP ranges. However, if this call returns a WP Error, the Download::download file() method falls back to GuzzleHttpClient::request() using the original user-supplied URL without SSRF protection and with TLS verification disabled. This allows authenticated attackers with administrator-level access to perform Server-Side Request Forgery (SSRF), enabling them to make web requests to arbitrary locations from the server, such as querying or modifying information from internal services like the cloud metadata endpoint at 169.Recommendations
Update the plugin to a version newer than 3.9.30.
As a temporary workaround, restrict administrator-level access to the
wpie import upload file from url AJAX action.Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Import Export Lite