cbcvebase.
CVE-2025-1972
published 2025-03-22

CVE-2025-1972: The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the…

PriorityP336medium6.5CVSS 3.1
AVNACLPRHUINSUCNIHAH
EPSS
0.37%
28.9th percentile
The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.

Affected

5 ranges
VendorProductVersion rangeFixed in
msrccbl2_binutils_2.37-10_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
webtoffeeexport_and_import_users_and_customers<= 2.6.2
webtoffeeimport_export_wordpress_users< 2.6.32.6.3

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
vendor_msrc6.5MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.