Import and export users and customers < 1.27.6 – Authenticated (Administrator+) Stored Cross-Site Scripting | CVE 2024-50413 | Plugin Vulnerabilities

Description

The Import and export users and customers plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.27.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

import-users-from-csv-with-meta

Fixed in 1.27.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ef462cdf-4639-405c-94c6-568645d4fa22

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

UKO

Verified

No

WPVDB ID

db756c5e-780c-4a2d-a9c7-68d677bc54b5

Timeline

Publicly Published

2024-10-24 (about 1 year ago)

Added

2024-10-31 (about 1 year ago)

Last Updated

2024-10-31 (about 1 year ago)

Other

Published

Title

Published

2023-06-16

Title

Seed Fonts 2.3.1 - Admin+ Stored XSS

Published

2023-11-16

Title

Quiz And Survey Master < 8.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2021-10-25

Title

Notification < 8.0.0 - Admin+ Stored Cross-Site Scripting

Published

2024-10-03

Title

Ultimate Member < 2.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-01-20

Title

Media Library Categories < 2.0.0 - Admin+ Stored XSS