WordPress Plugin Vulnerabilities

Import and export users and customers < 1.24.4 - Contributor+ Stored XSS

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
import-users-from-csv-with-meta
Fixed in 1.24.4

References

CVE
CVE-2023-6624
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4731eb39-8c01-4a2b-80f7-15d8c13a19b5

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.1 (medium)

Miscellaneous

Original Researcher
Rafshanzani Suhada
Verified
No
WPVDB ID
f44de48c-ce55-4ad1-b22b-97b3f3c86f4d

Timeline

Publicly Published
2023-12-11 (about 2 years ago)
Added
2023-12-12 (about 2 years ago)
Last Updated
2023-12-12 (about 2 years ago)

Other

Published
Title
Published
2025-09-22
Title
Maps for WP <= 1.2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2023-11-07
Title
Seo By 10Web <= 1.2.9 - Reflected XSS
Published
2025-01-06
Title
Sina Extension for Elementor < 3.6.0 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Sina Image Differ
Published
2024-11-22
Title
Custom Field Manager <= 1.0 - Reflected XSS Vulnerability
Published
2022-07-04
Title
Popup Anything < 2.1.7 - Reflected Cross-Site Scripting