CVE-2022-3395 is a high-severity SQL Injection vulnerability (CWE-89) found in the WP All Export Pro WordPress plugin versions prior to 1.7.9. The vulnerability arises because the plugin directly uses the contents of the cc_sql POST parameter as part of a database query without proper sanitization or parameterization. This flaw allows an authenticated user with permission to run exports—by default, users with the Administrator role—to execute arbitrary SQL statements against the underlying database. Since the export permission can be delegated to lower-privileged users, the attack surface extends beyond administrators. Exploiting this vulnerability could lead to unauthorized data disclosure, data modification, or even complete compromise of the database and potentially the hosting environment. The CVSS 3.1 score of 8.8 reflects the critical impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction required. Although no known exploits are currently reported in the wild, the vulnerability’s nature and ease of exploitation make it a significant risk for WordPress sites using this plugin. The absence of a patch link suggests that users should verify plugin updates or apply mitigations promptly.

For European organizations, this vulnerability poses a substantial risk, especially for those relying on WordPress sites with the WP All Export Pro plugin for data export functions. Successful exploitation could lead to unauthorized access to sensitive customer or business data, violating GDPR requirements and potentially resulting in regulatory fines and reputational damage. The ability to execute arbitrary SQL commands could also allow attackers to alter or delete critical data, disrupt business operations, or use the compromised site as a pivot point for further network intrusion. Given the widespread use of WordPress across European enterprises, including e-commerce, government, and educational institutions, the impact could be broad. Organizations handling personal data or financial information are particularly vulnerable to data breaches stemming from this flaw.

Organizations should immediately verify the version of WP All Export Pro in use and upgrade to version 1.7.9 or later where the vulnerability is fixed. If an upgrade is not immediately possible, restrict export permissions strictly to trusted administrators and audit user roles to ensure no unnecessary delegation of export capabilities. Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the cc_sql parameter. Conduct regular security audits and database activity monitoring to detect anomalous queries. Additionally, enforce the principle of least privilege on database accounts used by WordPress to limit the potential damage from SQL injection. Backup critical data regularly and ensure backups are stored securely to enable recovery in case of compromise.