PT-2026-55493 · WordPress · Wp Import Export Lite

Ddadd

+1

·

Published

2026-07-03

·

Updated

2026-07-03

·

CVE-2026-11397

CVSS v3.1

5.5

Medium

VectorAV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions WP Import Export Lite versions prior to 3.9.31
Description An issue exists in the wpie import upload file from url AJAX action. The plugin initially uses wp safe remote get() to download files, which blocks private IP ranges. However, if this call returns a WP Error, the Download::download file() method falls back to GuzzleHttpClient::request() using the original user-supplied URL without SSRF protection and with TLS verification disabled. This allows authenticated attackers with administrator-level access to perform Server-Side Request Forgery (SSRF), enabling them to make web requests to arbitrary locations from the server, such as querying or modifying information from internal services like the cloud metadata endpoint at 169.
Recommendations Update the plugin to a version newer than 3.9.30. As a temporary workaround, restrict administrator-level access to the wpie import upload file from url AJAX action.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-11397

Affected Products

Wp Import Export Lite