A new vulnerability (CVE-2024-7425) has been discovered in WP All Export Pro (versions <= 1.9.1), posing a significant security risk. This flaw allows authenticated users with ShopManager+ roles to update arbitrary options within the WordPress database. If left unpatched, attackers could manipulate site settings, potentially leading to data breaches or even full site compromise.
Discovered by Francesco Carlucci on February 7, 2025, this vulnerability has been assigned a CVSS score of 6.8 (Medium Severity). If you’re using WP All Export Pro, it’s crucial to take immediate action.
What Is WP All Export Pro?
WP All Export Pro is a popular WordPress plugin that allows users to export data from their website in a structured manner. It’s widely used for migrating content, backing up site data, and automating WooCommerce store exports.
However, in versions 1.9.1 and earlier, a security loophole has been identified that could allow unauthorized changes to critical site settings.
Understanding CVE-2024-7425 – What’s the Risk?
This vulnerability specifically affects users with ShopManager+ roles. Typically, Shop Managers have limited administrative privileges, but due to this flaw, they can:
- Modify arbitrary WordPress options – This includes settings related to plugins, themes, and even security configurations.
- Alter site behavior – Attackers can change payment settings, disable security plugins, or inject malicious redirects.
- Gain unauthorized access – If exploited further, this could lead to privilege escalation, allowing attackers to seize control of the entire website.
Who Is Affected?
If your website is running WP All Export Pro 1.9.1 or an earlier version, you are at risk. This includes WooCommerce store owners, WordPress administrators, and agencies using the plugin for bulk data exports.
How to Fix the WP All Export Pro Vulnerability?
1. Update to the Latest Version
The most effective way to mitigate this vulnerability is by updating WP All Export Pro to the latest patched version. You can download the latest release from:
🔗 WP All Export Pro Official Website
2. Restrict ShopManager+ Privileges
Until the issue is patched, consider restricting ShopManager+ permissions using a role management plugin like:
- User Role Editor
- Members – Membership & User Role Editor Plugin
3. Implement a Web Application Firewall (WAF)
A WAF can block exploit attempts in real-time. Popular WAF solutions include:
- Cloudflare Web Application Firewall
- Sucuri Security
- Wordfence
4. Monitor Site Activity
Use security plugins to track user actions and detect unauthorized changes:
- WP Activity Log
- Sucuri Security
How Can an Attacker Exploit This Vulnerability?
- An attacker logs in as a ShopManager+ user.
- They modify the WordPress options table, injecting harmful settings.
- The attacker disables security measures, redirects users to malicious sites, or alters payment details.
This is why patching the vulnerability ASAP is essential.
How to Check If Your Site Has Been Compromised?
If you suspect your site has been targeted, follow these steps:
✅ Check WordPress Options Table: Use phpMyAdmin or a database tool to inspect recent changes.
✅ Scan for Malicious Redirects: Use Google Safe Browsing to check if your site has been flagged.
✅ Review User Activity Logs: Look for suspicious logins or unauthorized modifications.
If any irregularities are found, restore from a clean backup and update all plugins immediately.
Final Thoughts – Don’t Wait, Secure Your Site Today!
Security vulnerabilities like CVE-2024-7425 can have devastating consequences for WordPress sites. If you’re using WP All Export Pro <= 1.9.1, updating to the latest version is non-negotiable.
By taking proactive measures—such as updating plugins, restricting roles, and monitoring site activity—you can safeguard your website from exploitation.
🔔 Stay Updated: Subscribe to WordPress security alerts to stay informed about the latest threats.
For further reading, check out:
📌 WordPress Vulnerability Database
📌 Sucuri Blog on WordPress Security
Do you have any questions or concerns about this vulnerability? Let us know in the comments! 🚀
Thank you for visiting! Check out our blog homepage to explore more insightful articles.
