{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/post-export-import-with-media-plugin--1.13.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-13430"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Post Export Import with Media plugin (\u003c= 1.13.1)"],"_cs_severities":["high"],"_cs_tags":["web-vulnerability","wordpress","arbitrary-file-upload","rce"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, tracked as CVE-2026-13430, has been identified in the \u0026quot;Post Export Import with Media\u0026quot; plugin for WordPress, impacting all versions up to, and including, 1.13.1. This flaw stems from insufficient file extension validation within the \u003ccode\u003eimport_media_file_secure\u003c/code\u003e function, specifically exploiting a trailing-dot filename bypass. Attackers can craft a ZIP archive containing a malicious PHP file (e.g., \u003ccode\u003eshell.php.\u003c/code\u003e), which, when processed by the \u003ccode\u003eajax_import_media_start()\u003c/code\u003e function, circumvents the extension allow-list check due to how \u003ccode\u003epathinfo()\u003c/code\u003e handles the trailing dot. The file is initially extracted to a temporary location and subsequently copied to the WordPress uploads directory without re-validation, making it accessible as an executable web shell. This allows authenticated attackers with administrator-level access to achieve remote code execution on the compromised WordPress server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains valid administrator-level credentials for a WordPress site running the vulnerable \u0026quot;Post Export Import with Media\u0026quot; plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a ZIP archive containing a malicious PHP web shell (e.g., \u003ccode\u003eshell.php.\u003c/code\u003e) with a trailing dot in its filename.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the WordPress administration panel and initiates a media import process via the vulnerable plugin, uploading the crafted ZIP archive.\u003c/li\u003e\n\u003cli\u003eThe plugin's \u003ccode\u003eajax_import_media_start()\u003c/code\u003e function processes the ZIP entry; the \u003ccode\u003epathinfo()\u003c/code\u003e function, when encountering the trailing dot (e.g., \u003ccode\u003eshell.php.\u003c/code\u003e), returns an empty string for the file extension.\u003c/li\u003e\n\u003cli\u003eThis empty extension bypasses the plugin's allow-list validation check, treating the malicious PHP file as a benign file type.\u003c/li\u003e\n\u003cli\u003eThe PHP web shell is extracted to a temporary directory on the web server.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eimport_media_file_secure()\u003c/code\u003e function copies the extracted web shell from the temporary location to the \u003ccode\u003e/wp-content/uploads/\u003c/code\u003e directory without performing further extension re-validation.\u003c/li\u003e\n\u003cli\u003eThe attacker browses to the newly uploaded web shell (e.g., \u003ccode\u003ehttps://example.com/wp-content/uploads/shell.php\u003c/code\u003e), gaining remote code execution on the web server and potentially full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-13430 allows an authenticated attacker with administrator privileges to achieve remote code execution on the WordPress server. This can lead to complete compromise of the website, including defacement, data theft from the database, further network pivot within the hosting environment, or use of the server for malicious activities such as hosting malware or launching attacks against other systems. The widespread use of WordPress and its plugins means many organizations could be exposed if they do not promptly patch this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the \u0026quot;Post Export Import with Media\u0026quot; plugin to a patched version once available to address CVE-2026-13430.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect post-exploitation web shell access within your WordPress uploads directory.\u003c/li\u003e\n\u003cli\u003eConfigure web application firewall (WAF) rules to inspect uploaded files for suspicious content and extensions, specifically blocking uploads of PHP files into media directories.\u003c/li\u003e\n\u003cli\u003eRegularly review administrator accounts on your WordPress installations for any unauthorized or suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T04:20:29Z","date_published":"2026-07-10T04:20:29Z","id":"https://feed.craftedsignal.io/briefs/2026-07-wordpress-plugin-rce/","summary":"A high-severity arbitrary file upload vulnerability, CVE-2026-13430, exists in all versions up to 1.13.1 of the Post Export Import with Media plugin for WordPress, allowing authenticated administrators to upload executable web shells via a trailing-dot filename bypass, leading to remote code execution.","title":"CVE-2026-13430: WordPress Post Export Import with Media Plugin Arbitrary File Upload Leading to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-wordpress-plugin-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Post Export Import With Media Plugin (\u003c= 1.13.1)","version":"https://jsonfeed.org/version/1.1"}