CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6558 – Export and Import Users and Customers <= 2.4.8 - Authenticated (Shop Manager+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-6558
12 Dec 2023 — The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'upload_import_file' function in versions up to, and including, 2.4.8. This makes it possible for authenticated attackers with shop manager-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento Export and Import Users and Customers para WordPress es vulnerable a carga... • https://plugins.trac.wordpress.org/browser/users-customers-import-export-for-wp-woocommerce/tags/2.4.7/admin/modules/import/classes/class-import-ajax.php#L124 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3459 – Export and Import Users and Customers <= 2.4.1 - Missing Authorization to Authenticated (Shop Manager) Arbitrary User Password Change
https://notcve.org/view.php?id=CVE-2023-3459
14 Jul 2023 — The Export and Import Users and Customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hf_update_customer' function called via an AJAX action in versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with shop manager-level permissions to change user passwords and potentially take over administrator accounts. • https://plugins.trac.wordpress.org/browser/users-customers-import-export-for-wp-woocommerce/tags/2.4.1/admin/modules/user/import/import.php#L446 • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-12074 – Product Import Export for WooCommerce <= 1.7.4 - Missing Authorization to CSV Import
https://notcve.org/view.php?id=CVE-2020-12074
11 Mar 2020 — The users-customers-import-export-for-wp-woocommerce plugin before 1.3.9 for WordPress allows subscribers to import administrative accounts via CSV. El plugin users-customers-import-export-for-wp-woocommerce en versiones anteriores a la 1.3.9 para Wordpress permite a los suscriptores importar cuentas administrativas a través de CSV. The Product Import Export for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 1.7.4 due to missing capability checks on t... • https://www.wordfence.com/blog/2020/03/vulnerability-patched-in-import-export-wordpress-users • CWE-269: Improper Privilege Management CWE-862: Missing Authorization •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 3CVE-2019-15092 – Import Export WordPress Users and WooCommerce Customers <= 1.3.1 - CSV Injection
https://notcve.org/view.php?id=CVE-2019-15092
22 Aug 2018 — The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class. El plugin webtoffee "Usuarios de WordPress y clientes de WooCommerce Import Export Export" 1.3.0 para WordPress permite la inyección de CSV en las columnas user_url, display_name, first_name y last_name en un archivo CSV exportado creado por la clase WF... • https://www.exploit-db.com/exploits/47303 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-1236: Improper Neutralization of Formula Elements in a CSV File •