CVE-2024-7425: CWE-94 Improper Control of Generation of Code ('Code Injection') in WP All Import WP All Export Pro
CVE-2024-7425 is a code injection vulnerability in the WP All Export Pro WordPress plugin affecting all versions up to 1. 9. 1. Authenticated users with Shop Manager-level privileges or higher can exploit improper input validation to modify arbitrary WordPress options. This allows attackers to change the default user registration role to administrator and enable user registration, effectively escalating their privileges to full administrative access. Exploitation requires authentication and user interaction but can lead to full site compromise. The vulnerability has a CVSS score of 6. 8, indicating medium severity with high impact on confidentiality, integrity, and availability. No known public exploits have been reported yet. Organizations using this plugin should prioritize patching or mitigating this flaw to prevent unauthorized privilege escalation and potential site takeover.
AI Analysis
Technical Summary
CVE-2024-7425 is a vulnerability classified under CWE-94 (Improper Control of Generation of Code, or code injection) found in the WP All Export Pro plugin for WordPress. This plugin is widely used for exporting and importing data in WordPress sites, including e-commerce platforms using WooCommerce. The vulnerability exists in all versions up to and including 1.9.1 due to insufficient validation and sanitization of user inputs. Specifically, authenticated users with Shop Manager-level access or higher can exploit this flaw to update arbitrary WordPress options. By manipulating these options, an attacker can change the default role assigned to new user registrations to 'administrator' and enable user registration functionality. This effectively allows the attacker to create new administrative accounts without direct administrator credentials, leading to privilege escalation and full site control. The attack vector requires authentication and user interaction, but the impact on confidentiality, integrity, and availability is high, as attackers can fully compromise the affected WordPress site. The CVSS 3.1 score is 6.8, reflecting medium severity with network attack vector, low attack complexity, high privileges required, and user interaction needed. No public exploits have been reported yet, but the vulnerability poses a significant risk to sites using this plugin, especially those with Shop Manager roles assigned to multiple users. The lack of available patches at the time of reporting increases the urgency for mitigation.
Potential Impact
The impact of CVE-2024-7425 is significant for organizations running WordPress sites with the WP All Export Pro plugin, particularly e-commerce sites using WooCommerce where Shop Manager roles are common. Successful exploitation allows attackers to escalate privileges from Shop Manager to full administrator by modifying WordPress options to enable user registration and assign the administrator role by default. This leads to complete site takeover, enabling attackers to manipulate content, steal sensitive data, install backdoors, or disrupt site availability. The compromise of administrative accounts can also facilitate further attacks on connected systems or networks. Given WordPress's widespread use globally, the vulnerability could affect a large number of organizations, including small businesses, online retailers, and enterprises relying on WordPress for critical web infrastructure. The requirement for authentication limits exploitation to insiders or compromised accounts, but the ease of privilege escalation from a mid-level role increases risk. The absence of known exploits in the wild currently reduces immediate threat but does not eliminate the risk of future attacks. Overall, the vulnerability threatens confidentiality, integrity, and availability of affected WordPress sites and their data.
Mitigation Recommendations
To mitigate CVE-2024-7425, organizations should first verify if they use the WP All Export Pro plugin and identify the version in use. Immediate mitigation steps include: 1) Restrict Shop Manager and higher roles to trusted users only, minimizing the number of accounts with such privileges. 2) Temporarily disable user registration or set the default registration role to a non-privileged role until a patch is available. 3) Implement strict input validation and sanitization at the application level if possible, or use Web Application Firewalls (WAFs) to detect and block suspicious requests targeting the plugin's endpoints. 4) Monitor WordPress options and user roles for unauthorized changes to detect exploitation attempts early. 5) Regularly audit user accounts and roles to identify any unauthorized administrative accounts. 6) Stay updated with vendor announcements for patches or updates addressing this vulnerability and apply them promptly once released. 7) Consider isolating or sandboxing WordPress environments to limit the blast radius of a potential compromise. These steps go beyond generic advice by focusing on role management, monitoring, and temporary configuration changes specific to this vulnerability's exploitation method.
Affected Countries
United States, United Kingdom, Germany, Canada, Australia, France, Netherlands, India, Brazil, Japan, South Korea
CVE-2024-7425: CWE-94 Improper Control of Generation of Code ('Code Injection') in WP All Import WP All Export Pro
Description
CVE-2024-7425 is a code injection vulnerability in the WP All Export Pro WordPress plugin affecting all versions up to 1. 9. 1. Authenticated users with Shop Manager-level privileges or higher can exploit improper input validation to modify arbitrary WordPress options. This allows attackers to change the default user registration role to administrator and enable user registration, effectively escalating their privileges to full administrative access. Exploitation requires authentication and user interaction but can lead to full site compromise. The vulnerability has a CVSS score of 6. 8, indicating medium severity with high impact on confidentiality, integrity, and availability. No known public exploits have been reported yet. Organizations using this plugin should prioritize patching or mitigating this flaw to prevent unauthorized privilege escalation and potential site takeover.
AI-Powered Analysis
Technical Analysis
CVE-2024-7425 is a vulnerability classified under CWE-94 (Improper Control of Generation of Code, or code injection) found in the WP All Export Pro plugin for WordPress. This plugin is widely used for exporting and importing data in WordPress sites, including e-commerce platforms using WooCommerce. The vulnerability exists in all versions up to and including 1.9.1 due to insufficient validation and sanitization of user inputs. Specifically, authenticated users with Shop Manager-level access or higher can exploit this flaw to update arbitrary WordPress options. By manipulating these options, an attacker can change the default role assigned to new user registrations to 'administrator' and enable user registration functionality. This effectively allows the attacker to create new administrative accounts without direct administrator credentials, leading to privilege escalation and full site control. The attack vector requires authentication and user interaction, but the impact on confidentiality, integrity, and availability is high, as attackers can fully compromise the affected WordPress site. The CVSS 3.1 score is 6.8, reflecting medium severity with network attack vector, low attack complexity, high privileges required, and user interaction needed. No public exploits have been reported yet, but the vulnerability poses a significant risk to sites using this plugin, especially those with Shop Manager roles assigned to multiple users. The lack of available patches at the time of reporting increases the urgency for mitigation.
Potential Impact
The impact of CVE-2024-7425 is significant for organizations running WordPress sites with the WP All Export Pro plugin, particularly e-commerce sites using WooCommerce where Shop Manager roles are common. Successful exploitation allows attackers to escalate privileges from Shop Manager to full administrator by modifying WordPress options to enable user registration and assign the administrator role by default. This leads to complete site takeover, enabling attackers to manipulate content, steal sensitive data, install backdoors, or disrupt site availability. The compromise of administrative accounts can also facilitate further attacks on connected systems or networks. Given WordPress's widespread use globally, the vulnerability could affect a large number of organizations, including small businesses, online retailers, and enterprises relying on WordPress for critical web infrastructure. The requirement for authentication limits exploitation to insiders or compromised accounts, but the ease of privilege escalation from a mid-level role increases risk. The absence of known exploits in the wild currently reduces immediate threat but does not eliminate the risk of future attacks. Overall, the vulnerability threatens confidentiality, integrity, and availability of affected WordPress sites and their data.
Mitigation Recommendations
To mitigate CVE-2024-7425, organizations should first verify if they use the WP All Export Pro plugin and identify the version in use. Immediate mitigation steps include: 1) Restrict Shop Manager and higher roles to trusted users only, minimizing the number of accounts with such privileges. 2) Temporarily disable user registration or set the default registration role to a non-privileged role until a patch is available. 3) Implement strict input validation and sanitization at the application level if possible, or use Web Application Firewalls (WAFs) to detect and block suspicious requests targeting the plugin's endpoints. 4) Monitor WordPress options and user roles for unauthorized changes to detect exploitation attempts early. 5) Regularly audit user accounts and roles to identify any unauthorized administrative accounts. 6) Stay updated with vendor announcements for patches or updates addressing this vulnerability and apply them promptly once released. 7) Consider isolating or sandboxing WordPress environments to limit the blast radius of a potential compromise. These steps go beyond generic advice by focusing on role management, monitoring, and temporary configuration changes specific to this vulnerability's exploitation method.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-08-02T15:47:15.223Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c18b7ef31ef0b55fd98
Added to database: 2/25/2026, 9:39:36 PM
Last enriched: 2/26/2026, 3:39:15 AM
Last updated: 2/26/2026, 11:10:43 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-64999: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Checkmk GmbH Checkmk
HighCVE-2026-28138: Deserialization of Untrusted Data in Stylemix uListing
HighCVE-2026-28136: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in VeronaLabs WP SMS
HighCVE-2026-28132: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in villatheme WooCommerce Photo Reviews
HighCVE-2026-28131: Insertion of Sensitive Information Into Sent Data in WPVibes Elementor Addon Elements
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.