Luk6785

**Name of the Vulnerable Software and Affected Versions** Customizer Export/Import plugin for WordPress versions up to, and including, 0.9.7 **Description** The Customizer Export/Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ` import` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible. The vulnerability is only exploitable when used in conjunction with a race condition as the uploaded file is deleted shortly after it is created. **Recommendations** For versions up to, and including, 0.9.7, consider disabling the ` import` function until a patch is available to prevent arbitrary file uploads. Restrict access to the plugin's import functionality to minimize the risk of exploitation. Avoid using the plugin for importing files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.