WP All Import 4.1.1 is a mandatory security update. It patches a severe vulnerability in WP All Import. You should upgrade immediately.
A special thanks goes to James Golovich (http://pritect.net/) and Ibrahim Raafat (https://twitter.com/RaafatSEC) for reporting the vulnerability to us!
At the time of this writing, we have not received any reports of sites hacked as a result of this vulnerability. To the best of our knowledge, this vulnerability has never been maliciously exploited in the wild.
What could a hacker do with this vulnerability?
In simple terms, a sophisticated attacker could completely takeover your WordPress installation by uploading and executing malicious PHP code on your server.
In more technical terms, 4.1.1 patches a severe vulnerability related to AJAX request validation in admin_init that can be exploited to run methods of the PMXI_Controller_Admin class even without being logged in as a site admin.
Is this fixed in the free version of WP All Import?
Yes, it's fixed in both the pro and free versions. It's fixed in pro version 4.1.1 and free version 3.2.4.
How do I install the update?
You can easily install it by upgrading from the Plugins page of your WordPress admin panel.
If you do not see the link to upgrade from within the WP admin panel, download and install the upgrade manually.
To manually upgrade, first, ensure you have a current backup of your site. Then:
1. Go to the Plugins page of your WP admin panel and de-activate and delete WP All Import from your site. You will not lose your settings/templates/previous imports.
2. Download the latest version from either http://www.wpallimport.com/portal (pro) or http://wordpress.org/plugins/wp-all-import/ (free).
3. Install the plugin manually: Here's how - from WPBeginner.com
I'm still using WP All Import 3.x (pro)
If you don't want to upgrade, and you've already done your imports with WP All Import and are no longer using it, just de-activate it. We patched the 3.4.x branch. If you're using 3.4.x e-mail [email protected] and we'll send you 3.4.4 which fixes the issue.
How long have you known about this?
On February 23rd at 3:36 PM Pacific Time the security researcher e-mailed our support desk and asked who he should contact about a security issue. We responded with information, and the security researcher sent us a proof of concept.
At 12:04 AM on February 24th we confirmed the exploit and sent the researcher a $500 bounty.
At 1:23 AM on February 26th we released versions 4.1.1 and 3.2.4 which patch the exploit.
At 1:46 AM on February 26th we sent an e-mail to our customer list notifying them to upgrade.
OK, I get that someone can execute any routine of PMXI_Controller_Admin - but how does that allow them to upload and execute PHP code?
In efforts to protect our customers, we're not going to actually disclose a proof of concept, although the security researcher may do so at a later date.
WP All Import is a popular plugin, so now that we've released the patch, any hacker can run a diff on 4.1.0 and 4.1.1 and see what we changed. So it is likely that an exploit for this vulnerability will eventually be made public.
Even if you've been proactive and disabled code execution in /wp-content/uploads/ (a good idea in general) or are on a managed host that does that for you - you should upgrade anyway.
While you're safe from the remote code execution vulnerability, attackers could still execute any routine of PMXI_Controller_Admin, which would allow them to view the contents of import logs, text files, and more.
What if my site was already hacked? Should I be scared?
This vulnerability has existed in WP All Import for a very long time. We've never heard a single report of it being exploited maliciously. It was brought to our attention by a security researcher, not a malicious hacker.
I upgraded and now whenever I try to import I get a "Security check" error.
Clear your browser cache.
Any questions? E-mail us at [email protected].
Want to report a security issue? Depending on the nature of the vulnerability, we'll potentially pay you a cash reward.
