CVE-2024-7419
Published: 07 February 2025
Summary
CVE-2024-7419 is a high-severity Code Injection (CWE-94) vulnerability in Soflyy Wp All Export. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the missing input validation and sanitization of user-supplied data in custom export fields, preventing arbitrary PHP code injection.
Requires identification, reporting, and correction of the specific RCE flaw in WP ALL Export Pro versions up to 1.9.1 via patching.
Scans the system for vulnerabilities like CVE-2024-7419 in plugins, enabling timely detection and remediation before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via unauthenticated code injection in public-facing WordPress plugin matches T1190 (Exploit Public-Facing Application).
NVD Description
The WP ALL Export Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.9.1 via the custom export fields. This is due to the missing input validation and sanitization of user-supplied data.…
more
This makes it possible for unauthenticated attackers to inject arbitrary PHP code into form fields that get executed on the server during the export, potentially leading to a complete site compromise. As a prerequisite, the custom export field should include fields containing user-supplied data.
Deeper analysisAI
CVE-2024-7419 is a remote code execution (RCE) vulnerability affecting the WP ALL Export Pro plugin for WordPress in all versions up to and including 1.9.1. The flaw stems from missing input validation and sanitization of user-supplied data in custom export fields, classified under CWE-94 (Code Injection). It carries a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating high severity due to its potential for network-based exploitation with scope change and high impacts across confidentiality, integrity, and availability.
Unauthenticated attackers (PR:N) can exploit this vulnerability by injecting arbitrary PHP code into form fields containing user-supplied data, provided the custom export field includes such fields as a prerequisite. The attack requires high complexity (AC:H) and user interaction (UI:R), such as a site administrator triggering the export process. Successful exploitation leads to PHP code execution on the server, potentially resulting in complete site compromise.
Advisories from Wordfence detail the vulnerability in their threat intelligence report, while the plugin vendor at WP All Import recommends upgrading to a patched version of WP ALL Export Pro beyond 1.9.1 to mitigate the issue. Security practitioners should verify and apply updates promptly, especially for sites using custom export configurations with user-supplied data.
Details
- CWE(s)