WordPress Plugin Vulnerabilities

Import Users From CSV with Meta 1.15 - Unauthorised Authenticated Users Export

Description

The export_users_csv function, registered as an authenticated AJAX call and allowing to export users, was missing the authorisation/capability check. CSRF check was in place, reducing the severity of the issue.

Only version 1.15 seems to be affected as the export functionality is a new feature introduced by it.

Affects Plugins

Plugin icon
import-users-from-csv-with-meta
Fixed in 1.15.0.1

References

URL
https://plugins.trac.wordpress.org/changeset/2220481

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
3.1 (low)

Miscellaneous

Verified
No
WPVDB ID
e86ed52c-6c2a-448c-ba09-977c2d425fcf

Timeline

Publicly Published
2020-01-01 (about 6 years ago)
Added
2020-01-03 (about 6 years ago)
Last Updated
2020-11-14 (about 5 years ago)

Other

Published
Title
Published
2025-05-12
Title
Frontend Dashboard 1.0 - 2.2.7 - Subscriber+ Privilege Escalation via fed_admin_setting_form_function Function
Published
2022-10-10
Title
Automatic User Roles Switcher < 1.1.2 - Subscriber+ Privilege Escalation
Published
2025-10-17
Title
Sale! Immigration law, Visa services support, Migration Agent Consulting <= 1.5.8 - Authenticated (Subscriber+) Privilege Escalation
Published
2025-10-14
Title
Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme < 1.5.0 - Unauthenticated Privilege Escalation to Editor
Published
2025-08-18
Title
Real Spaces - WordPress Properties Directory Theme < 3.6 - Authenticated (Subscriber+) Privilege Escalation to Administrator via 'change_role_member'