CVE-2022-1977: 
WordPress vulnerability analysis and mitigation

The Import Export All WordPress Images, Users & Post Types WordPress plugin before version 6.5.3 contains a Server-Side Request Forgery (SSRF) vulnerability. The plugin fails to properly validate files imported via URL before making HTTP requests, potentially allowing high-privilege users such as administrators to perform Blind SSRF attacks (WPScan, NVD). This vulnerability was discovered and publicly disclosed on June 2, 2022.

The vulnerability is classified as CWE-918 (Server-Side Request Forgery) with a CVSS v3.1 base score of 7.2 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The issue stems from insufficient validation of file import URLs, which can be exploited through the file upload by URL function. Proof of concept involves using internal/LAN URLs such as 'https://127.0.0.1:8080' or 'http://192.168.0.224:8181/?u=https://docs.google.com/' in the file upload function (WPScan).

When exploited, this vulnerability could allow authenticated administrators to perform Blind SSRF attacks, potentially enabling them to scan internal networks, bypass firewalls, and access internal resources that should not be accessible from external networks (WPScan).

The vulnerability has been patched in version 6.5.3 of the WordPress plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).