Import And Export Users And Customers
Monthly
Sensitive information exposure in the Import and Export Users and Customers WordPress plugin (all versions ≤ 2.4.0) allows any authenticated subscriber-level user to enumerate and extract the post_title and raw post_content of arbitrary posts regardless of visibility status or post type. Affected content includes drafts, private posts, password-protected entries, future-scheduled posts, trashed items, and non-public custom post types such as WooCommerce orders and internal CRM records. The exploit barrier is exceptionally low: the required security nonce is leaked as inline JavaScript on any wp-admin page reachable by subscribers. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis.
Missing Authorization vulnerability in Codection Import and export users and customers.24.6. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Import and export users and customers WordPress plugin before 1.20.5 does not properly escape data when exporting it via CSV files. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
The Import and export users and customers WordPress plugin before 1.19.2.1 does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Import and export users and customers WordPress Plugin through 1.15.5.11 allows CSV injection via a customer's profile. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Sensitive information exposure in the Import and Export Users and Customers WordPress plugin (all versions ≤ 2.4.0) allows any authenticated subscriber-level user to enumerate and extract the post_title and raw post_content of arbitrary posts regardless of visibility status or post type. Affected content includes drafts, private posts, password-protected entries, future-scheduled posts, trashed items, and non-public custom post types such as WooCommerce orders and internal CRM records. The exploit barrier is exceptionally low: the required security nonce is leaked as inline JavaScript on any wp-admin page reachable by subscribers. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis.
Missing Authorization vulnerability in Codection Import and export users and customers.24.6. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Import and export users and customers WordPress plugin before 1.20.5 does not properly escape data when exporting it via CSV files. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
The Import and export users and customers WordPress plugin before 1.19.2.1 does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Import and export users and customers WordPress Plugin through 1.15.5.11 allows CSV injection via a customer's profile. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.