Import and export users and customers Vulnerability – Authenticated (Administrator+) Stored Cross-Site Scripting – CVE-2024-4656, CVE-2024-4734 | WordPress Plugin Vulnerability Report

Plugin Name: Import and export users and customers

Key Information:

  • Software Type: Plugin
  • Software Slug: import-users-from-csv-with-meta
  • Software Status: Active
  • Software Author: carazo
  • Software Downloads: 4,320,707
  • Active Installs: 80,000
  • Last Updated: May 14, 2024
  • Patched Versions: 1.26.7
  • Affected Versions: <= 1.26.6.1

Vulnerability Details:

  • Name: Import and export users and customers <= 1.26.6.1 - Authenticated (Administrator+) Stored Cross-Site Scripting
  • Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CVE: CVE-2024-4656, CVE-2024-4734
  • CVSS Score: 4.4 (Medium)
  • Publicly Published: May 14, 2024
  • Researcher: quanhx hxx
  • Description: The Import and export users and customers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user agent header and admin settings in all versions up to, and including, 1.26.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator access and higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Summary:

The Import and export users and customers plugin for WordPress has a vulnerability in versions up to and including 1.26.6.1 that allows authenticated attackers with administrator access and higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability has been patched in version 1.26.7.

Detailed Overview:

The Import and export users and customers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user agent header (CVE-2024-4656) and admin settings (CVE-2024-4734) in all versions up to, and including, 1.26.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability affecting admin settings only affects multi-site installations and installations where unfiltered_html has been disabled.

Advice for Users:

  1. Immediate Action: Users are encouraged to update the Import and export users and customers plugin to version 1.26.7 or later.
  2. Check for Signs of Vulnerability: Users should check their WordPress sites for any signs of injected scripts or unauthorized modifications.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 1.26.7 or later to secure their WordPress installations. This plugin has had 15 previous vulnerabilities since December 2018, emphasizing the need for regular updates and monitoring.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/import-users-from-csv-with-meta https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/import-users-from-csv-with-meta/import-and-export-users-and-customers-12661-authenticated-administrator-stored-cross-site-scripting-1 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/import-users-from-csv-with-meta/import-and-export-users-and-customers-12661-authenticated-administrator-stored-cross-site-scripting

Detailed Report:

As a website owner, keeping your site secure should always be a top priority. Vulnerabilities in plugins, themes, and even WordPress core files can leave your site exposed to potential attacks, compromising your data and your users' information. Today, we're highlighting a critical vulnerability found in the popular "Import and export users and customers" plugin for WordPress, which has put thousands of websites at risk.

The "Import and export users and customers" Plugin

The "Import and export users and customers" plugin, developed by carazo, is a widely-used tool that allows WordPress site owners to easily import and export user data. With over 4 million downloads and 80,000 active installations, this plugin has become a go-to solution for many website administrators.

The Vulnerability

A severe vulnerability has been discovered in the "Import and export users and customers" plugin, affecting all versions up to and including 1.26.6.1. The vulnerability, identified as CVE-2024-4656 and CVE-2024-4734, allows authenticated attackers with administrator access to inject malicious scripts into your website via the user agent header and admin settings.

This vulnerability stems from insufficient input sanitization and output escaping, enabling attackers to execute arbitrary web scripts whenever a user accesses an injected page. It is important to note that the vulnerability affecting admin settings only impacts multi-site installations and installations where unfiltered_html has been disabled.

Risks and Potential Impacts

If left unpatched, this vulnerability could lead to severe consequences for your website:

  1. Unauthorized access to your website and its data
  2. Injection of malicious scripts that could harm your users
  3. Damage to your website's reputation and loss of user trust
  4. Potential legal and financial repercussions

Remediation

To protect your website from this vulnerability, it is crucial to update the "Import and export users and customers" plugin to version 1.26.7 or later immediately. If you are unsure about how to update your plugins or need assistance in ensuring your website's security, don't hesitate to reach out to a professional.

Previous Vulnerabilities

It is worth noting that the "Import and export users and customers" plugin has had a history of vulnerabilities, with 15 reported since December 2018. This underscores the importance of regularly updating your plugins and staying vigilant about your website's security.

The Importance of Staying on Top of Security Vulnerabilities

As a small business owner, managing website security can be overwhelming, especially when you have limited time and resources. However, neglecting security updates can put your website, your business, and your customers at risk. By regularly updating your plugins, themes, and WordPress core files, you can significantly reduce the likelihood of falling victim to a security breach.

If you find it challenging to keep up with the latest security updates and vulnerabilities, consider partnering with a reliable website maintenance and security service provider. They can help you monitor your website for potential threats, ensure timely updates, and provide expert guidance on maintaining a secure online presence.

Don't wait until it's too late. Take action now to protect your website and your users' data. Stay informed about the latest security risks and best practices, and prioritize the safety of your online assets. Your business and your customers will thank you for it.

As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.

Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.

Import and export users and customers Vulnerability – Authenticated (Administrator+) Stored Cross-Site Scripting – CVE-2024-4656, CVE-2024-4734 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment