A high-severity vulnerability exists within the WP Import Export Lite plugin for WordPress, allowing an attacker to upload malicious files to a target website. This flaw could be exploited to execute arbitrary code, potentially leading to a complete compromise of the website, data theft, and reputational damage.

The vulnerability is an Arbitrary File Upload in the wpie_parse_upload_data function. This function lacks proper server-side validation to ensure that uploaded files are of an expected and safe file type (e.g., CSV, XML). An authenticated attacker with access to the plugin's import functionality can bypass client-side restrictions and upload a malicious script, such as a PHP web shell, disguised as a legitimate import file. Once the malicious file is on the server, the attacker can access it via its URL to execute code in the security context of the web server, leading to remote code execution (RCE).

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could have a significant negative impact on the business. The primary risk is remote code execution, which can lead to a complete compromise of the web server. Potential consequences include the theft of sensitive data such as customer information or intellectual property, website defacement causing reputational harm, and financial losses from downtime or regulatory fines. A compromised server could also be used to attack other systems within the network or serve malware to visitors, further escalating the damage.

Immediate Action:

• Immediately update the WP Import Export Lite plugin to the latest version available from the vendor, which is confirmed to be patched against this vulnerability.
• If the plugin is not essential for business operations, the recommended course of action is to disable and completely uninstall it to eliminate the attack surface.
• Review WordPress user roles and permissions to ensure that only trusted users have the ability to upload files.

Proactive Monitoring:

• Log Analysis: Monitor web server access logs for suspicious POST requests to the plugin's upload endpoints. Scrutinize the WordPress uploads directory for any files with executable extensions (e.g., .php, .phtml, .php5).
• File Integrity Monitoring (FIM): Utilize a FIM solution to detect any unauthorized changes or additions to WordPress core, theme, and plugin files.
• Network Traffic Analysis: Monitor for any unusual outbound network connections from the web server, which could indicate a command-and-control (C2) channel established by an attacker.

Compensating Controls:

• Web Application Firewall (WAF): Implement a WAF with rules designed to block the upload of files with dangerous extensions and to filter malicious request patterns targeting the vulnerable plugin.
• Harden Server Permissions: Configure web server and file system permissions to prevent the execution of scripts from the uploads directory. For Apache, this can be achieved using an .htaccess file with rules to deny script execution.
• Plugin Deactivation: If patching cannot be performed immediately, disable the plugin until the update can be safely deployed.

Public Exploit Available: false

Given the high-severity rating (CVSS 7.5) and the risk of remote code execution, this vulnerability requires immediate attention. Although it is not currently listed in the CISA KEV catalog, its potential for complete system compromise presents a critical risk. It is strongly recommended that all organizations using the WP Import Export Lite plugin prioritize applying the vendor's patch immediately. If the plugin is not business-critical, it should be removed to mitigate this threat entirely.