An authenticated SQL injection vulnerability in the WP All Import plugin allows an attacker with administrator privileges to manipulate the underlying database and compromise site integrity.

The vulnerability is a SQL injection flaw where the application fails to properly sanitize input, allowing an authenticated administrator to inject malicious SQL commands into the database.

Successful exploitation allows an attacker to gain unauthorized access to sensitive data, modify database contents, or potentially achieve full site takeover. While requiring administrative access, the CVSS score of 7.6 indicates a high severity, as it facilitates significant escalation of privilege and data exfiltration within the WordPress environment.

Immediate Action: Update the WP All Import plugin to the latest version provided by the vendor to ensure all SQL queries are properly parameterized.

Proactive Monitoring: Enable database query logging to identify and audit suspicious or unauthorized SQL statements executing within the WordPress environment.

Compensating Controls: Implement strict database access controls and ensure the database user account used by the web application adheres to the principle of least privilege.

Public Exploit Available: false

Administrators should audit their current plugin installations and apply available security updates immediately. Furthermore, ensure that administrative access to the WordPress dashboard is restricted to trusted personnel to mitigate the risk of this and similar authenticated vulnerabilities.