WordPress Plugin Vulnerabilities

Import and export users and customers < 1.24.3 - Admin+ Arbitrary File Read/Deletion

Description

The plugin is vulnerable to Directory Traversal via the Recurring Import functionality. This makes it possible for authenticated attackers, with administrator access and above, to read and delete the contents of arbitrary files on the server including wp-config.php, which can contain sensitive information.

Affects Plugins

Plugin icon
import-users-from-csv-with-meta
Fixed in 1.24.3

References

CVE
CVE-2023-6583
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ac709779-36f1-4f66-8db3-95a514a5ea59

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Labda
Verified
No
WPVDB ID
6556d9cb-55e9-4ce5-b3d9-f2c9f7df215a

Timeline

Publicly Published
2023-12-08 (about 2 years ago)
Added
2023-12-12 (about 2 years ago)
Last Updated
2023-12-12 (about 2 years ago)

Other

Published
Title
Published
2025-01-06
Title
Social Share Buttons for WordPress <= 2.7 - Unauthenticated Image Upload & Path Traversal
Published
2021-12-01
Title
CAOS < 4.1.9 - Admin+ Arbitrary Folder Deletion via Path Traversal
Published
2020-08-11
Title
Add From Server <= 3.3.3 - Authenticated Path Traversal to Arbitrary File Access
Published
2019-07-12
Title
Ad Inserter <= 2.4.19 - Authenticated Path Traversal
Published
2017-10-20
Title
Multiple Plugins - jQueryFileTree - Unauthenticated Path Traversal