Webtoffee: >> Import Export Wordpress Users >> 1.0.9 Security Vulnerabilities
The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'upload_import_file' function in versions up to, and including, 2.4.8. This makes it possible for authenticated attackers with shop manager-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS Score
7.2
EPSS Score
0.038
Published
2024-01-11
The Export and Import Users and Customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hf_update_customer' function called via an AJAX action in versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with shop manager-level permissions to change user passwords and potentially take over administrator accounts.
CVSS Score
7.2
EPSS Score
0.002
Published
2023-07-18
The users-customers-import-export-for-wp-woocommerce plugin before 1.3.9 for WordPress allows subscribers to import administrative accounts via CSV.
CVSS Score
8.8
EPSS Score
0.006
Published
2020-04-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.
CVSS Score
7.3
EPSS Score
0.088
Published
2019-08-23