Webtoffee Import Export Wordpress Users vulnerabilities
10 known vulnerabilities affecting webtoffee/import_export_wordpress_users.
Total CVEs
10
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH6MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2019-15092P3HIGHCVSS 7.3PoC≤ 1.3.12019-08-23
CVE-2019-15092 [HIGH] CWE-1236 CVE-2019-15092: The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress all
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.
nvd
CVE-2020-12074P3HIGHCVSS 8.8fixed in 1.3.92020-04-23
CVE-2020-12074 [HIGH] CWE-269 CVE-2020-12074: The users-customers-import-export-for-wp-woocommerce plugin before 1.3.9 for WordPress allows subscr
The users-customers-import-export-for-wp-woocommerce plugin before 1.3.9 for WordPress allows subscribers to import administrative accounts via CSV.
nvd
CVE-2023-6558P3HIGHCVSS 7.2≤ 2.4.82024-01-11
CVE-2023-6558 [HIGH] CWE-434 CVE-2023-6558: The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file uploa
The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'upload_import_file' function in versions up to, and including, 2.4.8. This makes it possible for authenticated attackers with shop manager-level capabilities or above, to upload arbitrary files on the af
nvd
CVE-2023-3459P3HIGHCVSS 7.2≤ 2.4.12023-07-18
CVE-2023-3459 [HIGH] CWE-863 CVE-2023-3459: The Export and Import Users and Customers plugin for WordPress is vulnerable to unauthorized modific
The Export and Import Users and Customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hf_update_customer' function called via an AJAX action in versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with shop manager-level permissions to change user
nvd
CVE-2025-1970P3HIGHCVSS 7.6fixed in 2.6.32025-03-22
CVE-2025-1970 [HIGH] CWE-918 CVE-2025-1970: The Export and Import Users and Customers plugin for WordPress is vulnerable to Server-Side Request
The Export and Import Users and Customers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.2 via the validate_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web applic
nvd
CVE-2025-1971P3HIGHCVSS 7.2fixed in 2.6.32025-03-22
CVE-2025-1971 [HIGH] CWE-502 CVE-2025-1971: The Export and Import Users and Customers plugin for WordPress is vulnerable to PHP Object Injection
The Export and Import Users and Customers plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.2 via deserialization of untrusted input from the 'form_data' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain i
nvd
CVE-2025-1972P3MEDIUMCVSS 6.5fixed in 2.6.32025-03-22
CVE-2025-1972 [MEDIUM] CWE-73 CVE-2025-1972: The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file delet
The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the
nvd
CVE-2024-32835P4MEDIUMCVSS 5.4≥ n/a, ≤ 2.5.32024-04-24
CVE-2024-32835 [MEDIUM] CWE-502 CVE-2024-32835: Deserialization of Untrusted Data vulnerability in WebToffee Import Export WordPress Users.This issu
Deserialization of Untrusted Data vulnerability in WebToffee Import Export WordPress Users.This issue affects Import Export WordPress Users: from n/a through 2.5.3.
nvd
CVE-2025-1973P4MEDIUMCVSS 4.9fixed in 2.6.32025-03-22
CVE-2025-1973 [MEDIUM] CWE-22 CVE-2025-1973: The Export and Import Users and Customers plugin for WordPress is vulnerable to Path Traversal in al
The Export and Import Users and Customers plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.6.2 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive
nvd
CVE-2024-30492P4MEDIUMCVSS 4.3≥ n/a, ≤ 2.5.22024-03-29
CVE-2024-30492 [MEDIUM] CWE-22 CVE-2024-30492: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WebT
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WebToffee Import Export WordPress Users.This issue affects Import Export WordPress Users: from n/a through 2.5.2.
nvd