Vulnerabilities and security researches forusers-customers-import-export-for-wp-woocommerce users-customers-import-export-for-wp-woocommerce

Jun 07, 2024

CVE, Research URL: CVE-2020-12074
Home page URL: Security reports for Export and Import Users and Customers
Application: Export and Import Users and Customers
Date: Apr 23, 2020
Research Description: The users-customers-import-export-for-wp-woocommerce plugin before 1.3.9 for WordPress allows subscribers to import administrative accounts via CSV.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2019-15092
Home page URL: Security reports for Export and Import Users and Customers
Application: Export and Import Users and Customers
Date: Aug 24, 2019
Research Description: The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-30492
Home page URL: Security reports for Export and Import Users and Customers
Application: Export and Import Users and Customers
Date: Mar 29, 2024
Research Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WebToffee Import Export WordPress Users.This issue affects Import Export WordPress Users: from n/a through 2.5.2.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-32835
Home page URL: Security reports for Export and Import Users and Customers
Application: Export and Import Users and Customers
Date: Apr 24, 2024
Research Description: Deserialization of Untrusted Data vulnerability in WebToffee Import Export WordPress Users.This issue affects Import Export WordPress Users: from n/a through 2.5.3.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-3459
Home page URL: Security reports for Export and Import Users and Customers
Application: Export and Import Users and Customers
Date: Jul 18, 2023
Research Description: The Export and Import Users and Customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hf_update_customer' function called via an AJAX action in versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with shop manager-level permissions to change user passwords and potentially take over administrator accounts.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-6558
Home page URL: Security reports for Export and Import Users and Customers
Application: Export and Import Users and Customers
Date: Jan 11, 2024
Research Description: The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'upload_import_file' function in versions up to, and including, 2.4.8. This makes it possible for authenticated attackers with shop manager-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions: Min -, max -.
Status: vulnerable

Mar 23, 2025

CVE, Research URL: CVE-2025-1971
Home page URL: Security reports for Export and Import Users and Customers
Application: Export and Import Users and Customers
Date: Mar 22, 2025
Research Description: The Export and Import Users and Customers plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.2 via deserialization of untrusted input from the 'form_data' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2025-1972
Home page URL: Security reports for Export and Import Users and Customers
Application: Export and Import Users and Customers
Date: Mar 22, 2025
Research Description: The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2025-1973
Home page URL: Security reports for Export and Import Users and Customers
Application: Export and Import Users and Customers
Date: Mar 22, 2025
Research Description: The Export and Import Users and Customers plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.6.2 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2025-1970
Home page URL: Security reports for Export and Import Users and Customers
Application: Export and Import Users and Customers
Date: Mar 22, 2025
Research Description: The Export and Import Users and Customers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.2 via the validate_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Affected versions: Min -, max -.
Status: vulnerable