Import WP WordPress Plugin Arbitrary File Read Vulnerability

A vulnerability allowing arbitrary file read has been identified in the Import WP – Export and Import CSV and XML files to WordPress plugin, affecting all versions up to and including 2.14.16. The issue arises because the plugin's REST API endpoint accepts arbitrary absolute file paths without proper validation in the 'attach_file()' function, particularly when handling 'file_local' actions. This flaw enables authenticated attackers with administrator-level access and above to read arbitrary files from the server's filesystem, including sensitive configuration and system files, via the 'local_url' parameter.

Impact

Exploitation of this vulnerability allows for unauthorized reading of files, potentially exposing sensitive data. Additionally, according to Wordfence, this vulnerability could lead to overwriting files, which may allow for code execution.

Reproduction

To reproduce this vulnerability, an authenticated user with administrator-level access can send a request to the plugin's REST API endpoint, 'iwp/importer/{id}/upload', with the 'file_local' action. The 'local_url' parameter can be used to specify an arbitrary absolute file path. The absence of proper validation allows for the reading of files outside the intended directory, including sensitive files like 'wp-config.php'.

Remediation

Users can update to Import WP version 2.14.17, which addresses this vulnerability by requiring whitelisting of local file imports fetched from outside the WordPress directory. Instructions for updating can be found on the WordPress Plugin Directory.