search

Import / Export Functionality Exploits

WordPress provides import/export features to move content between sites, usually in XML (WXR) or JSON format. While this functionality is useful for administrators, it has historically been a target for attackers.

hashtag
⚠️ The Risk

Poorly coded importer/exporter plugins often fail to properly validate user-supplied files. When this happens, an attacker may be able to:

  • Upload a malicious XML or JSON file.

  • Inject arbitrary PHP code or serialized payloads into templates or imported content.

  • Trigger remote code execution (RCE) or data exfiltration once the file is processed.

hashtag
Old plugin "WP All Import"

The plugin accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE

  1. Craft a specially designed XML file containing a PHP payload inside template fields.

  2. Import the file through the plugin interface.

  3. Cause the malicious PHP code to be stored in the WordPress database and later executed on the site.

This type of exploit effectively turns a simple content migration feature into a full compromise vector.

hashtag
Attack Scenario

  1. Attacker prepares evil_import.xml with embedded PHP like:

    <post>
  <title>Malicious Post</title>
  <content><![CDATA[<?php system($_GET['cmd']); ?>]]></content>
</post>

  2. Admin imports this file using a vulnerable plugin.

  3. The injected PHP executes when the post is viewed, giving the attacker remote shell access.

  4. As an admin upload a php file containing the palyload zipped along with a valid XML file via the New Import Upload page of the plugin: 

    https://example.com//wp-admin/admin.php?page=pmxi-admin-import

When the upload finishes you'll be able to find the random directory it was sent to by checking the links on the source code of the Managed Imports page:
http://example.com/wp-admin/admin.php?page=pmxi-admin-manage

The file will be located at something like:
https://example.com/wp-content/uploads/wpallimport/uploads/f8ac124b335362e2faed2da06d2123d5/folder/filename.php

PreviousVulnerable File Upload PluginsNextPart IV – Post-Exploitation

Last updated