CVE-2024-9661 in WP All Import Pro Plugin
Summary
by MITRE • 02/07/2025
The WP All Import Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.7. This is due to missing nonce validation on the delete_and_edit function. This makes it possible for unauthenticated attackers to delete imported content (posts, comments, users, etc.) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/07/2025
The WP All Import Pro plugin represents a widely used tool for importing data into WordPress environments, making it a critical component in many content management workflows. This vulnerability exists within the plugin's handling of administrative functions, specifically affecting versions up to and including 4.9.7. The flaw stems from inadequate security controls that fail to validate cryptographic nonces during the execution of the delete_and_edit function. This oversight creates a significant security gap that undermines the integrity of the WordPress administration interface and exposes sites to potential compromise through social engineering attacks.
The technical implementation of this CSRF vulnerability lies in the absence of proper nonce validation mechanisms within the plugin's backend processing. A nonce is a cryptographic value that ensures requests originate from legitimate administrative sessions and prevents unauthorized execution of administrative functions. Without this validation, attackers can construct malicious requests that appear to come from authenticated administrators, allowing them to manipulate imported content including posts, comments, and user accounts. The vulnerability specifically targets the delete_and_edit function which handles content modification operations, making it particularly dangerous as it can be exploited to remove critical data or alter user permissions.
The operational impact of this vulnerability extends beyond simple data deletion, as it provides attackers with the capability to disrupt content management workflows and potentially compromise entire WordPress installations. An attacker requiring only a victim administrator to click on a malicious link can execute destructive operations without authentication, leveraging the trust relationship between the administrator's browser and the WordPress site. This makes the vulnerability particularly dangerous in environments where administrators frequently visit external websites or click on links in emails, as the attack surface increases significantly. The vulnerability affects all versions up to 4.9.7, indicating a prolonged period during which this security gap existed.
Mitigation strategies for this vulnerability require immediate attention from WordPress administrators who use the WP All Import Pro plugin. The primary solution involves upgrading to a patched version of the plugin that implements proper nonce validation for the delete_and_edit function. Additionally, administrators should implement network-level security controls such as web application firewalls that can detect and block suspicious CSRF attempts. The vulnerability aligns with CWE-352, which describes Cross-Site Request Forgery, and maps to ATT&CK technique T1213.002 for Data from Information Repositories, as it enables unauthorized access to content management systems. Organizations should also conduct security audits to identify other potentially vulnerable plugins and ensure proper input validation across all administrative interfaces. Regular security monitoring and automated patch management processes become essential to prevent exploitation of similar vulnerabilities in the future.