cbcvebase.
CVE-2025-1973
published 2025-03-22

CVE-2025-1973: The Export and Import Users and Customers plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.6.2 via the…

PriorityP427medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
EPSS
0.69%
48.2th percentile
The Export and Import Users and Customers plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.6.2 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information.

Affected

4 ranges
VendorProductVersion rangeFixed in
msrccbl2_kernel_5.15.67.1-4_on_cbl_mariner_2.0
msrccm1_kernel_5.10.145.1-1_on_cbl_mariner_1.0
webtoffeeexport_and_import_users_and_customers<= 2.6.2
webtoffeeimport_export_wordpress_users< 2.6.32.6.3

CVSS provenance

nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vendor_msrc7.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.