CVE-2020-12074
Product Import Export for WooCommerce <= 1.7.4 - Missing Authorization to CSV Import
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The users-customers-import-export-for-wp-woocommerce plugin before 1.3.9 for WordPress allows subscribers to import administrative accounts via CSV.
El plugin users-customers-import-export-for-wp-woocommerce en versiones anteriores a la 1.3.9 para Wordpress permite a los suscriptores importar cuentas administrativas a través de CSV.
The Product Import Export for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 1.7.4 due to missing capability checks on the woocommerce_csv_import_request AJAX action. This makes it possible for authenticated attackers with minimal permissions, such as subscribers, to import products for WooCommerce.
*Credits:
Chloe Chamberland
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-03-11 CVE Published
- 2020-04-23 CVE Reserved
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-269: Improper Privilege Management
- CWE-862: Missing Authorization
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.wordfence.com/blog/2020/03/vulnerability-patched-in-import-export-wordpress-users | 2024-08-04 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Webtoffee Search vendor "Webtoffee" | Import Export Wordpress Users Search vendor "Webtoffee" for product "Import Export Wordpress Users" | < 1.3.9 Search vendor "Webtoffee" for product "Import Export Wordpress Users" and version " < 1.3.9" | wordpress |
Affected
| ||||||