CVE-2024-7425
Published: 07 February 2025
Summary
CVE-2024-7425 is a medium-severity Code Injection (CWE-94) vulnerability in Soflyy Wp All Export. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 36.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper user input validation and sanitization in the WP ALL Export Pro plugin that enables unauthorized modification of WordPress options.
Requires timely identification, reporting, and remediation of flaws like CVE-2024-7425 through plugin patching to prevent privilege escalation exploitation.
Enforces least privilege to restrict Shop Manager-level users from accessing or modifying arbitrary site options that could lead to administrative privilege escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables authenticated attackers to exploit improper input handling for arbitrary option modification, resulting in privilege escalation to full administrative control.
NVD Description
The WP ALL Export Pro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to improper user input validation and sanitization in all versions up to, and including, 1.9.1. This makes it…
more
possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Deeper analysisAI
CVE-2024-7425 is a vulnerability in the WP ALL Export Pro plugin for WordPress that allows unauthorized modification of data, leading to privilege escalation. It stems from improper user input validation and sanitization in all versions up to and including 1.9.1. The issue, classified under CWE-94 (Code Injection), has a CVSS v3.1 base score of 6.8 (AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H) and was published on 2025-02-07.
Authenticated attackers with Shop Manager-level access or higher can exploit this vulnerability over the network with low complexity, though it requires user interaction. By updating arbitrary WordPress options, they can, for example, change the default role for new user registrations to administrator and enable user registration. This enables the attackers to create administrative accounts and gain full control over the vulnerable site.
Advisories from Wordfence detail the vulnerability and recommend mitigation through updating the plugin, as indicated by the official upgrade page from WP All Import. Security practitioners should ensure sites running affected versions upgrade promptly to patched releases to prevent exploitation.
Details
- CWE(s)