CVE-2024-7419: 
WordPress vulnerability analysis and mitigation

The WP ALL Export Pro plugin for WordPress contains a Remote Code Execution vulnerability (CVE-2024-7419) affecting all versions up to and including 1.9.1. The vulnerability was discovered in the custom export fields functionality, where missing input validation and sanitization of user-supplied data creates a security risk (Wordfence Advisory).

The vulnerability stems from inadequate input validation and sanitization of user-supplied data in the custom export fields feature. This security flaw allows unauthenticated attackers to inject arbitrary PHP code into form fields, which gets executed on the server during the export process. The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) from NVD and 8.3 (HIGH) from Wordfence, indicating its severe nature. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) (Wordfence Advisory).

If successfully exploited, this vulnerability could lead to a complete site compromise. The attacker can execute arbitrary PHP code on the server, potentially gaining unauthorized access to sensitive data and system resources. The prerequisite for exploitation is that the custom export field should include fields containing user-supplied data (Wordfence Advisory).

Users are advised to upgrade to version 1.9.2 or later of the WP ALL Export Pro plugin to address this vulnerability (WP All Export).