CVE-2022-2711 - Path Traversal Vulnerability in "Import any XML or CSV File to WordPress" Plugin (Pre-3.6.9)

In mid-2022, WordPress site owners faced a serious security flaw in the popular plugin "Import any XML or CSV File to WordPress". The vulnerability, CVE-2022-2711, allowed admin-level users to upload crafted ZIP file archives with malicious content. Due to insufficient file path validation, attackers could leverage a path traversal technique to write files anywhere on the server where the web process had permissions.

This article breaks down the flaw, how it could be abused, code examples demonstrating the vulnerability, and what you should do about it.

What is Path Traversal?

Path traversal (sometimes called directory traversal) allows someone to access parts of a file system that are supposed to be protected. This is typically done by manipulating file paths in a way that tricks a piece of software into writing or reading files outside the intended directory.

For example, uploading a file with a path like:  

../../wp-config.php

could overwrite that critical configuration file.

The Vulnerable Plugin and Scenario

The "Import any XML or CSV File to WordPress" plugin lets admins import content by uploading either plain files or ZIP archives (containing a group of files). The vulnerability existed because, when extracting ZIP archives, the plugin did not check whether filenames inside the ZIP included dangerous directory traversal sequences like ../.

Thus, a user with admin privileges (or any user with plugin access if roles allow) could upload a specially crafted ZIP. When the plugin unzipped it, malicious files could be placed anywhere the web server had access, leading to file overwrite or even remote code execution if PHP files were written.

Vulnerable Code Snippet

While the exact plugin source code may be protected under premium licensing, an approximate logic of the vulnerable process might have looked like this (simplified for illustration):

$zip = new ZipArchive();
if ($zip->open($uploaded_file) === TRUE) {
    for ($i = ; $i < $zip->numFiles; $i++) {
        $file_name = $zip->getNameIndex($i);
        $file_content = $zip->getFromIndex($i);
        $destination_path = $uploads_dir . DIRECTORY_SEPARATOR . $file_name;
        file_put_contents($destination_path, $file_content);
    }
    $zip->close();
}

Notice that $file_name is taken directly from the zip archive, and if it contains path traversal (../), it can escape the intended $uploads_dir.

Example Exploit

Suppose an admin (or an attacker who has gained admin access) wants to overwrite the main WordPress configuration file: wp-config.php.

`

../../wp-config.php

Path Traversal Triggers:

- The plugin unzips the file, and because there's no path checking, it writes the payload two directories *up*, potentially overwriting wp-config.php.

Python code to create a malicious ZIP

import zipfile

with zipfile.ZipFile('evil_payload.zip', 'w') as zipf:
    zipf.writestr('../../wp-config.php', "<?php die('hacked!'); ?>")

After upload, if the web server has write permissions, the attacker’s PHP code goes live.

Impact

- Arbitrary File Write: Any file the web server can access could be overwritten or created. On many servers, this means all of WordPress—config files, plugin code, even .htaccess.
- Remote Code Execution: If a .php file is written to a web-accessible location, the attacker can execute code remotely.

References

- CVE-2022-2711 Detail Page (NVD)
- WPScan Report
- Plugin Changelog (WordPress.org)

Solution

If you use Import any XML or CSV File to WordPress, update immediately to version 3.6.9 or later. The plugin authors resolved the vulnerability in this release by introducing stricter path validation:

How Path Validation Might Look After Fix

$unsafe = strpos($file_name, '..') !== false || strpos($file_name, '/') === ;
if ($unsafe) {
    // skip extraction or handle error
    continue; 
}

Conclusion

CVE-2022-2711 highlights why user-supplied ZIP files are risky—especially when their contents are blindly trusted. Even admin users can make mistakes (or have their accounts compromised), so it's vital to harden all file upload and extraction logic.

If you run WordPress with this plugin, double-check your version and lock down your site. For more technical breakdowns like this, follow top security feeds and check CVE lists regularly.

Timeline

Published on: 11/07/2022 10:15:00 UTC
Last modified on: 11/09/2022 20:04:00 UTC