CVE-2022-0236— WP Import Export (Lite) <= 3.9.15 Unauthenticated Sensitive Data Disclosure
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-0236
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WP Import Export (Lite) <= 3.9.15 Unauthenticated Sensitive Data Disclosure
Source: NVD (National Vulnerability Database)
Vulnerability Description
The WP Import Export WordPress plugin (both free and premium versions) is vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpie_process_file_download found in the ~/includes/classes/class-wpie-general.php file. This made it possible for unauthenticated attackers to download any imported or exported information from a vulnerable site which can contain sensitive information like user data. This affects versions up to, and including, 3.9.15.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
WordPress 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WordPress plugin是WordPress开源的一个应用插件。 WordPress plugin Import Export 插件存在安全漏洞,该漏洞源于 ~/includes/classes/class-wpie-general.php 文件中的下载功能 wpie_process_file_download 缺少功能检查。经身份验证的攻击者可以从易受攻击的站点下载任何导入或导出的信息,这些信息可能包含用户数据等敏感信息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| vjinfotech | WP Import Export | 3.9.15 ~ 3.9.15 | - | |
| vjinfotech | WP Import Export Lite | 3.9.15 ~ 3.9.15 | - |
II. Public POCs for CVE-2022-0236
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | Proof of concept for unauthenticated sensitive data disclosure affecting the wp-import-export WordPress plugin (CVE-2022-0236) | https://github.com/qurbat/CVE-2022-0236 | POC Details |
| 2 | CVE-2022-0236 | https://github.com/xiska62314/CVE-2022-0236 | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-0236
请登录查看更多情报信息。
- https://github.com/qurbat/CVE-2022-0236x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2022-0236
IV. Related Vulnerabilities
Same vendor: vjinfotech
- CVE-2025-5061
WP Import Export Lite <= 3.9.29 - Authenticated (Subscriber+ - CVE-2025-6207
WP Import Export Lite <= 3.9.28 - Authenticated (Subscriber+ - CVE-2025-2839
WP Import Export Lite <= 3.9.27 - Authenticated (Contributor - CVE-2024-31308
WordPress WP Import Export Lite & WP Import Export plugin <= - CVE-2023-47687
WordPress Woo Custom and Sequential Order Number Plugin <= 2
Same weakness: CWE-862
- CVE-2021-47932
WordPress TheCartPress 1.5.3.6 Privilege Escalation Unauthen - CVE-2025-15634
HCL BigFix WebUI is affected by a missing authorization vuln - CVE-2026-42297
Argo Workflows Is Missing Authorization in Sync ConfigMap Pr - CVE-2026-42174
Kirby: User avatar creation, replacement and deletion are no - CVE-2026-42137
Kirby: `pages.access/list` and `files.access/list` permissio
V. Comments for CVE-2022-0236
No comments yet