Plattform
wordpress
Komponente
wp-all-import
Behoben in
4.0.1
CVE-2026-2830 describes a Reflected Cross-Site Scripting (XSS) vulnerability affecting the WP All Import plugin for WordPress. This vulnerability allows unauthenticated attackers to inject malicious web scripts, potentially leading to account compromise and website defacement. The vulnerability impacts versions 0.0.0 through 4.0.0 of the plugin, and a fix is available in version 4.0.1.
An attacker can exploit this XSS vulnerability by crafting a malicious URL containing a specially crafted 'filepath' parameter. When a user clicks on this link, the injected script will execute in their browser within the context of the WordPress site. This can allow the attacker to steal session cookies, redirect the user to a phishing site, or modify the content of the page. The impact is particularly severe if the targeted user has administrative privileges, as the attacker could then gain control of the entire WordPress installation. This vulnerability highlights the importance of proper input sanitization and output escaping in web applications, especially those handling user-supplied data.
CVE-2026-2830 was publicly disclosed on 2026-03-06. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The medium CVSS score indicates a moderate risk of exploitation, particularly given the widespread use of the WP All Import plugin.
Websites using the WP All Import plugin, particularly those running older versions (0.0.0–4.0.0), are at risk. Shared hosting environments where plugin updates are not managed by the user are also particularly vulnerable, as they may not be aware of the vulnerability or able to apply the patch promptly.
• wordpress / composer / npm:
grep -r 'filepath=.*;' /var/log/apache2/access.log• wordpress / composer / npm:
wp plugin list --status=inactive | grep "all-import"• wordpress / composer / npm:
wp plugin update --all• generic web:
curl -I 'https://example.com/wp-content/plugins/wp-all-import/index.php?filepath=alert(1)'disclosure
Exploit-Status
EPSS
0.10% (28% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-2830 is to immediately upgrade the WP All Import plugin to version 4.0.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious characters or patterns in the 'filepath' parameter. Additionally, carefully review any user input related to file paths and ensure proper sanitization and escaping are applied. Monitor WordPress logs for unusual activity or attempts to exploit the vulnerability. After upgrading, confirm the fix by attempting to access a crafted URL with a malicious payload; the request should be blocked or sanitized.
Aktualisieren Sie auf Version 4.0.1 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-2830 is a Reflected Cross-Site Scripting (XSS) vulnerability in the WP All Import plugin for WordPress, allowing attackers to inject scripts via the 'filepath' parameter.
You are affected if you are using WP All Import versions 0.0.0 through 4.0.0. Upgrade to 4.0.1 or later to mitigate the risk.
Upgrade the WP All Import plugin to version 4.0.1 or later. Consider implementing a WAF rule to block malicious requests as a temporary measure.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the official WP All Import website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.