Description
The Advanced Import plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.6. This is due to the plugin using wp_remote_get() to fetch a user-supplied URL without validating that the URL does not point to internal or private network resources in the demo_download_and_unzip() function. The 'demo_file' parameter from $_POST is passed through sanitize_text_field() (which only handles XSS-related sanitization) and then directly into wp_remote_get() when 'demo_file_type' is set to 'url'. Notably, the plugin uses wp_safe_remote_get() in other locations (theme template libraries) which would provide SSRF protection, but fails to use it in this critical AJAX handler. This makes it possible for authenticated attackers, with Author-level access and above (upload_files capability), to make web requests to arbitrary locations originating from the web application, which can be used to query and view data from internal services, including cloud instance metadata endpoints.
Published: 2026-06-19
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Advanced Import plugin for WordPress allows authenticated users with Author-level or higher permissions to trigger server‑side requests by submitting the demo_file form field. The plugin uses wp_remote_get without validating the user‑supplied URL, enabling the attacker to instruct the WordPress installation to fetch any internal or external resource. This can be used to exfiltrate data from internal services or access cloud instance metadata endpoints, potentially leaking secrets or sensitive configuration information. The vulnerability is a classic instance of CWE‑918, which can compromise confidentiality by exposing internal network details and may affect availability if malicious requests overwhelm services.

Affected Systems

The affected product is the Advanced Import WordPress plugin, version 1.4.6 and all earlier releases. Users operating any of these plugin versions on WordPress sites should assess whether their site grants upload_files capability to users with Author or higher roles.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity vulnerability. The EPSS score is not available, so the estimated likelihood of exploitation is unknown, but because the flaw allows denial of service and data theft from internal resources, it warrants prompt attention. The vulnerability is not listed in the CISA KEV catalog, yet authenticated attackers can still exploit it if they have access to the site. The plausible attack vector is through the plugin’s AJAX handler when a user performs the One‑Click Demo Import action with a malicious demo_file URL.

Generated by OpenCVE AI on June 19, 2026 at 07:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest release of the Advanced Import plugin, which replaces wp_remote_get with a validated or safe remote request method.
  • Limit the upload_files capability to administrator roles or remove it from authors if the site does not need media uploads.
  • Configure the web server or firewall to block outbound requests to internal or private IP ranges from the WordPress installation.

Generated by OpenCVE AI on June 19, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Advanced Import plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.6. This is due to the plugin using wp_remote_get() to fetch a user-supplied URL without validating that the URL does not point to internal or private network resources in the demo_download_and_unzip() function. The 'demo_file' parameter from $_POST is passed through sanitize_text_field() (which only handles XSS-related sanitization) and then directly into wp_remote_get() when 'demo_file_type' is set to 'url'. Notably, the plugin uses wp_safe_remote_get() in other locations (theme template libraries) which would provide SSRF protection, but fails to use it in this critical AJAX handler. This makes it possible for authenticated attackers, with Author-level access and above (upload_files capability), to make web requests to arbitrary locations originating from the web application, which can be used to query and view data from internal services, including cloud instance metadata endpoints.
Title Advanced Import: One-Click Demo Import for WordPress <= 1.4.6 - Authenticated (Author+) Server-Side Request Forgery via 'demo_file' Parameter
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-19T04:31:33.421Z

Reserved: 2026-03-17T13:35:59.158Z

Link: CVE-2026-4328

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T07:30:16Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)