Import and export users and customers < 1.26.7 – Authenticated (Administrator+) Stored Cross-Site Scripting | CVE 2024-4656 | Plugin Vulnerabilities

Description

The Import and export users and customers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user agent header in all versions up to, and including, 1.26.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator access and higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

import-users-from-csv-with-meta

Fixed in 1.26.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/af742451-b2d6-445a-9a10-e950490f6c7c

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

quanhx hxx

Verified

No

WPVDB ID

6f3e449b-aaca-4f45-8fa5-ebd46ffe16d9

Timeline

Publicly Published

2024-05-14 (about 2 years ago)

Added

2024-05-14 (about 2 years ago)

Last Updated

2024-05-14 (about 2 years ago)

Other

Published

Title

Published

2025-05-07

Title

Amazon Product in a Post <= 5.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-01-14

Title

Ajax Contact Form < 1.4.2 - Contributor+ Stored XSS

Published

2025-01-15

Title

WP Responsive Tabs < 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-11-23

Title

Easy Social Icons < 3.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Published

2026-02-09

Title

NEX-Forms < 9.1.8 - Reflected Cross-Site Scripting