CVE-2024-50413 – WordPress Import and export users and customers plugin <= 1.27.5 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-50413
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in codection Import and export users and customers allows Stored XSS.This issue affects Import and export users and customers: from n/a through 1.27.5. La vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en codection Import and export users and customers permite XSS almacenado. Este problema afecta a la importación y exportación de usuarios y clientes: desde n/a hasta 1.27.5. The Import and export users and customers plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.27.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/import-users-from-csv-with-meta/wordpress-import-and-export-users-and-customers-plugin-1-27-5-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-38787 – WordPress Import and export users and customers plugin <= 1.26.8 - Sensitive Information via Imported File vulnerability
https://notcve.org/view.php?id=CVE-2024-38787
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Codection Import and export users and customers allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Import and export users and customers: from n/a through 1.26.8. The Import and export users and customers plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.26.8 via the fileupload_process function that uploads an import file in a public directory and does not subsequently delete it. This makes it possible for unauthenticated attackers to extract sensitive data including user data. • https://patchstack.com/database/vulnerability/import-users-from-csv-with-meta/wordpress-import-and-export-users-and-customers-plugin-1-26-8-sensitive-information-via-imported-file-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2024-32817 – WordPress Import and export users and customers plugin <= 1.26.2 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-32817
Deserialization of Untrusted Data vulnerability in Import and export users and customers.This issue affects Import and export users and customers: from n/a through 1.26.2. Vulnerabilidad de deserialización de datos no confiables en Import and export users and customers. Este problema afecta a los usuarios y clientes de importación y exportación: desde n/a hasta 1.26.2. The Import and export users and customers plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.26.2 via deserialization of untrusted input in the import.php file. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. • https://patchstack.com/database/vulnerability/import-users-from-csv-with-meta/wordpress-import-and-export-users-and-customers-plugin-1-26-2-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •
CVE-2024-22151 – WordPress Import and export users and customers plugin <= 1.24.6 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-22151
Missing Authorization vulnerability in Codection Import and export users and customers.This issue affects Import and export users and customers: from n/a through 1.24.6. Vulnerabilidad de autorización faltante en usuarios y clientes de importación y exportación de Codection. Este problema afecta a los usuarios y clientes de importación y exportación: desde n/a hasta 1.24.6. The Import and export users and customers plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the fire_cron function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to trigger the plugin's cron job. • https://patchstack.com/database/vulnerability/import-users-from-csv-with-meta/wordpress-import-and-export-users-and-customers-plugin-1-24-6-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVE-2019-14683 – Import and export users and customers <= 1.14.1.3 - Cross-Site Request Forgery leading to attachment deletion & Path Traversal
https://notcve.org/view.php?id=CVE-2019-14683
The codection "Import users from CSV with meta" plugin before 1.14.2.2 for WordPress allows wp-admin/admin-ajax.php?action=acui_delete_attachment CSRF. El complemento de codificación "Import users from CSV with meta" en versiones anteriores a 1.14.2.2 para WordPress permite wp-admin / admin-ajax.php? Action = acui_delete_attachment CSRF. • https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta?rev=2112013 https://wordpress.org/plugins/import-users-from-csv-with-meta/#developers https://wpvulndb.com/vulnerabilities/9392 https://www.pluginvulnerabilities.com/2019/06/21/cross-site-request-forgery-csrf-media-deletion-vulnerability-in-import-users-from-csv-with-meta • CWE-352: Cross-Site Request Forgery (CSRF) •