WordPress Plugin Vulnerabilities

Export and Import Users and Customers < 2.6.3 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function

Description

The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.

Affects Plugins

Plugin icon
users-customers-import-export-for-wp-woocommerce
Fixed in 2.6.3

References

CVE
CVE-2025-1972
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2d443c70-6537-4c6d-a282-12d392f0f558

Classification

Type
FILE DELETION
OWASP top 10
A6: Security Misconfiguration
CWE
CWE-73
CVSS
2.7 (low)

Miscellaneous

Original Researcher
HayMiz
Verified
No
WPVDB ID
8094b822-370a-4bc4-9205-98448a0616ba

Timeline

Publicly Published
2025-03-21 (about 1 year ago)
Added
2025-03-21 (about 1 year ago)
Last Updated
2025-03-22 (about 1 year ago)

Other

Published
Title
Published
2022-03-16
Title
iQ Block Country < 1.2.13 - Admin+ Arbitrary File Deletion via Zip Slip
Published
2025-12-05
Title
10Web Booster < 2.32.11 - Subscriber+ Arbitrary Folder Deletion
Published
2025-11-20
Title
简数采集器 < 2.6.4 - Authenticated (Admin+) Arbitrary File Read
Published
2024-12-20
Title
SMSA Shipping(official) < 2.4 - Authenticated (Subscriber+) Arbitrary File Deletion
Published
2025-10-31
Title
Import WP – Export and Import CSV and XML files to WordPress < 2.14.17 - Authenticated (Admin+) Arbitrary File Read