<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Post Export Import With Media Plugin (&lt;= 1.13.1) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/post-export-import-with-media-plugin--1.13.1/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 04:20:29 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/post-export-import-with-media-plugin--1.13.1/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-13430: WordPress Post Export Import with Media Plugin Arbitrary File Upload Leading to RCE</title><link>https://feed.craftedsignal.io/briefs/2026-07-wordpress-plugin-rce/</link><pubDate>Fri, 10 Jul 2026 04:20:29 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-wordpress-plugin-rce/</guid><description>A high-severity arbitrary file upload vulnerability, CVE-2026-13430, exists in all versions up to 1.13.1 of the Post Export Import with Media plugin for WordPress, allowing authenticated administrators to upload executable web shells via a trailing-dot filename bypass, leading to remote code execution.</description><content:encoded><![CDATA[<p>A critical vulnerability, tracked as CVE-2026-13430, has been identified in the &quot;Post Export Import with Media&quot; plugin for WordPress, impacting all versions up to, and including, 1.13.1. This flaw stems from insufficient file extension validation within the <code>import_media_file_secure</code> function, specifically exploiting a trailing-dot filename bypass. Attackers can craft a ZIP archive containing a malicious PHP file (e.g., <code>shell.php.</code>), which, when processed by the <code>ajax_import_media_start()</code> function, circumvents the extension allow-list check due to how <code>pathinfo()</code> handles the trailing dot. The file is initially extracted to a temporary location and subsequently copied to the WordPress uploads directory without re-validation, making it accessible as an executable web shell. This allows authenticated attackers with administrator-level access to achieve remote code execution on the compromised WordPress server.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker obtains valid administrator-level credentials for a WordPress site running the vulnerable &quot;Post Export Import with Media&quot; plugin.</li>
<li>The attacker crafts a ZIP archive containing a malicious PHP web shell (e.g., <code>shell.php.</code>) with a trailing dot in its filename.</li>
<li>The attacker logs into the WordPress administration panel and initiates a media import process via the vulnerable plugin, uploading the crafted ZIP archive.</li>
<li>The plugin's <code>ajax_import_media_start()</code> function processes the ZIP entry; the <code>pathinfo()</code> function, when encountering the trailing dot (e.g., <code>shell.php.</code>), returns an empty string for the file extension.</li>
<li>This empty extension bypasses the plugin's allow-list validation check, treating the malicious PHP file as a benign file type.</li>
<li>The PHP web shell is extracted to a temporary directory on the web server.</li>
<li>The <code>import_media_file_secure()</code> function copies the extracted web shell from the temporary location to the <code>/wp-content/uploads/</code> directory without performing further extension re-validation.</li>
<li>The attacker browses to the newly uploaded web shell (e.g., <code>https://example.com/wp-content/uploads/shell.php</code>), gaining remote code execution on the web server and potentially full system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-13430 allows an authenticated attacker with administrator privileges to achieve remote code execution on the WordPress server. This can lead to complete compromise of the website, including defacement, data theft from the database, further network pivot within the hosting environment, or use of the server for malicious activities such as hosting malware or launching attacks against other systems. The widespread use of WordPress and its plugins means many organizations could be exposed if they do not promptly patch this vulnerability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update the &quot;Post Export Import with Media&quot; plugin to a patched version once available to address CVE-2026-13430.</li>
<li>Deploy the provided Sigma rule to detect post-exploitation web shell access within your WordPress uploads directory.</li>
<li>Configure web application firewall (WAF) rules to inspect uploaded files for suspicious content and extensions, specifically blocking uploads of PHP files into media directories.</li>
<li>Regularly review administrator accounts on your WordPress installations for any unauthorized or suspicious activity.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>web-vulnerability</category><category>wordpress</category><category>arbitrary-file-upload</category><category>rce</category></item></channel></rss>