PT-2024-15007 · WordPress · Import/Export Users/Customers Plugin For Wordpress
István Márton
·
Published
2024-01-11
·
Updated
2025-06-03
·
CVE-2023-6558
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Export and Import Users and Customers plugin for WordPress versions up to, and including, 2.4.8
Description
The issue is related to insufficient file type validation on the
upload import file function, allowing authenticated attackers with shop manager-level capabilities or above to upload arbitrary files on the affected site's server. This may make remote code execution possible.Recommendations
For versions up to, and including, 2.4.8, consider disabling the
upload import file function until a patch is available to prevent arbitrary file uploads. Restrict access to the plugin's upload functionality to minimize the risk of exploitation. Avoid using the plugin for importing or exporting users and customers until the issue is resolved.Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Import/Export Users/Customers Plugin For Wordpress