Question 1

What exactly is the vulnerability?

Accepted Answer

What exactly is the vulnerability?

The vulnerability is a stored cross-site scripting (XSS) issue that exists in versions up to and including 1.24.3 of the Import and export users and customers WordPress plugin. It allows users with contributor access or higher privileges to inject malicious scripts into pages and posts. When admins view those pages later, the scripts execute in their browser session.

This effectively lets lower privilege users elevate their permissions to compromise high level admin accounts. Attackers may be able to steal admin session cookies, take over accounts, access confidential data on the site, or install backdoors.

Question 2

How can I tell if my site is affected?

Accepted Answer

How can I tell if my site is affected?

If you have the Import and export users and customers plugin installed in a version up to and including 1.24.3, your site is affected. Login to your WordPress dashboard and visit Plugins to check. Over 3 million sites have downloaded this plugin, so it is fairly common.

You can also review posts and pages created by contributor-level authors and look for unexpected shortcode output that could signal an attack. But disabling the plugin is the best immediate mitigation.

Question 3

What is the risk level?

Accepted Answer

What is the risk level?

The vulnerability has a CVSS score of 4.9 out of 10, making it a medium severity issue. The major risk is that administrator or other high privilege accounts can rather easily be compromised by lower permission users.

This allows serious site compromise, unauthorized data access, and infection with backdoors. So while medium severity, the impact can be quite serious if exploited.

Question 4

What should I do to protect my site?

Accepted Answer

What should I do to protect my site?

As no patch is yet available, the only current mitigation is to immediately disable the Import and export users and customers plugin. This will disable the vulnerable functionality until a fixed version is released.

You may also wish to consider an alternate plugin for user/customer import/export functionality in the interim, carefully checking that the alternative does not carry a similar vulnerability.

Question 5

What could happen if my site was compromised through this vulnerability?

Accepted Answer

What could happen if my site was compromised through this vulnerability?

Attackers may be able to steal admin session cookies, take over accounts and lock out legitimate owners, access confidential site data, deface or destroy site content, or use compromised admin accounts to install backdoors giving them persistent access even if the vulnerability eventually gets patched.

Question 6

How would I know if my site was already compromised?

Accepted Answer

How would I know if my site was already compromised?

Review posts and pages created by lower privilege users such as contributors for unexpected shortcode output that could signal an attack. Also check for unauthorized changes to content or configuration, new unrecognized admin accounts, or sudden problems with site functionality. Compromises through vulnerabilities like this one often go undetected at first.

Question 7

Is this the first vulnerability found in the plugin?

Accepted Answer

Is this the first vulnerability found in the plugin?

No, this plugin has had 11 previous vulnerabilities reported in just the last 5 years highlighting the ongoing security issues with it.

Question 8

What if I can't update plugins regularly?

Accepted Answer

What if I can't update plugins regularly?

For site owners without the time or ability to constantly monitor and update plugins, using a managed WordPress hosting provider is highly recommended. These services handle security patching, updates, monitoring, and incident response on your behalf allowing you to focus on your business instead.

Question 9

Should I switch to another plugin that offers the same functionality?

Accepted Answer

Should I switch to another plugin that offers the same functionality?

Yes, while waiting for this plugin to release a patch, users should strongly consider alternatives that offer user/customer import and export capabilities without serious unresolved vulnerabilities. A few options to research would be WP All Import and User Import Export.

Question 10

Who can I contact for help securing my site?

Accepted Answer

Who can I contact for help securing my site?

If you need any help auditing the current security status of your WordPress site, assistance with timely patching of vulnerabilities, recommendations on securely configured hosting, or even fully managed hosting, please reach out to us. We know how busy running a small business can be and are happy to help secure your online presence.

disable

WordPress Plugin Vulnerability Report – Import and export users and customers – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode – CVE-2023-6624

Recent Blog Posts

LiteSpeed Cache Vulnerability – Unauthenticated Sensitive Information Exposure via Log Files – CVE-2024-44000 | WordPress Plugin Vulnerability Report

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Vulnerability – Authenticated (Contributor+) Information Disclosure – CVE-2024-7418 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy