If you run a WordPress site and use plugins for moving data around, you’ve probably heard of the popular WP Import Export plugin. Maybe you use it to back up your posts and users or transfer data between your sites. But did you know that both the free and premium versions of this plugin (up to version 3.9.15) suffered from a severe vulnerability?
In this article, we break down CVE-2022-0236, how it exposed sensitive information, the code behind the flaw, and what you should do to stay safe.
What Is CVE-2022-0236?
CVE-2022-0236 is an information disclosure vulnerability in the WP Import Export plugin, both free and paid versions, before 3.9.16. The root of the problem? A missing capability check in a specific download function. This allowed *anyone*, even people not logged in, to download import and export files—including files containing sensitive user data.
In simple terms:
An attacker could easily steal export or import files from any WordPress site using this plugin, without needing a password.
How Did This Happen?
WordPress is all about roles and capabilities. Normally, functions that handle sensitive information check whether the current user is allowed to access them. But the vulnerable function, wpie_process_file_download, skipped this basic security step.
The unsafe code lived in
~/includes/classes/class-wpie-general.php
Here is what the vulnerable function looked like (simplified for clarity)
public function wpie_process_file_download() {
$file = isset($_GET['file']) ? $_GET['file'] : '';
$download_dir = WPIE_UPLOAD_DIR . '/';
$path = $download_dir . basename($file);
if (file_exists($path)) {
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=" . basename($path));
readfile($path);
exit;
}
}
Attackers could use a direct URL to the vulnerable endpoint. For example
https://example.com/wp-admin/admin-ajax.php?action=wpie_process_file_download&file=exported-data.csv
No password, token, or privilege check was required. All exported or imported files were available—even if they contained emails, usernames, or password hashes.
Here's how an attacker could exploit the vulnerability using curl (a common command-line tool)
curl "https://victimwebsite.com/wp-admin/admin-ajax.php?action=wpie_process_file_download&file=users-export.csv"; -o stolen.csv
That's it. The server would return the CSV file, and now the attacker has your data.
No authentication needed: Anyone, anywhere, could exploit it remotely.
- Exposure of sensitive data: Exported files often contain user lists, emails, password hashes, and more.
User exports (names, emails, possibly hashed passwords)
- Order/customer data (from eCommerce plugins)
Fixing the CVE-2022-0236 Vulnerability
The developers fixed this in version 3.9.16 by adding capability checks.
Upgrade immediately if you are running anything older.
Fixed code example
public function wpie_process_file_download() {
if ( ! current_user_can( 'manage_options' ) ) {
wp_die( 'Access denied.' );
}
// ... rest of the code
}
References
- Original WPScan Advisory
- WordPress Plugin Page
- Official Changelog
Update the plugin to at least version 3.9.16, or later.
2. Delete old export files. Remove any files not needed in your /wp-content/uploads folder.
Final Thoughts
CVE-2022-0236 is a classic example of how skipping basic capability checks in WordPress plugins leads to major headaches. Always keep your plugins updated and follow best practices for file security.
Have any questions about WP Import Export or plugin security? Drop a comment below, and let’s talk!
Timeline
Published on: 01/18/2022 17:15:00 UTC
Last modified on: 01/24/2022 17:29:00 UTC