WordPress Plugin Vulnerability Report – Export and Import Users and Customers – Authenticated (Shop Manager+) Arbitrary File Upload – CVE-2023-6558

Plugin Name: Export and Import Users and Customers

Key Information:

  • Software Type: Plugin
  • Software Slug: users-customers-import-export-for-wp-woocommerce
  • Software Status: Active
  • Software Author: webtoffee
  • Software Downloads: 2,025,020
  • Active Installs: 70,000
  • Last Updated: December 12, 2023
  • Patched Versions: 2.4.9
  • Affected Versions: <= 2.4.8

Vulnerability Details:

  • Name: Export and Import Users and Customers <= 2.4.8 - Authenticated (Shop Manager+) Arbitrary File Upload
  • Title: Authenticated (Shop Manager+) Arbitrary File Upload
  • Type: Unrestricted Upload of File with Dangerous Type
  • CVE: CVE-2023-6558
  • CVSS Score: 7.2 (High)
  • Publicly Published: December 12, 2023
  • Researcher: István Márton
  • Description: The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'upload_import_file' function in versions up to, and including, 2.4.8. This makes it possible for authenticated attackers with shop manager-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Summary:

The Export and Import Users and Customers for WordPress has a vulnerability in versions up to and including 2.4.8 that allows authenticated users with shop manager-level capabilities or above to upload arbitrary files. This vulnerability has been patched in version 2.4.9.

Detailed Overview:

The researcher István Márton discovered an arbitrary file upload vulnerability in the Export and Import Users and Customers plugin affecting versions up to and including 2.4.8. This is due to insufficient validation of uploaded file types in the upload_import_file function of the plugin. By exploiting this, an attacker with shop manager-level access or above could upload unexpected and potentially malicious files to the server which may enable remote code execution capabilities. This presents a high severity risk according to the CVSS score of 7.2. Users are strongly advised to update to version 2.4.9 which contains the fix for this vulnerability.

Advice for Users:

  1. Immediate Action: Update the Export and Import Users and Customers plugin to version 2.4.9 as soon as possible.
  2. Check for Signs of Vulnerability: Review server logs for any unexpected uploads from users with shop manager-level access or higher. Also scan files for anything suspicious.
  3. Alternate Plugins: Consider alternative import/export plugins as a precaution, such as the official WordPress Importer & Exporter.
  4. Stay Updated: Always keep plugins updated, especially those handling file uploads.

Conclusion:

The plugin developers have shown a prompt response in releasing version 2.4.9 to patch this serious arbitrary file upload vulnerability. Users should waste no time in updating to stay secure.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/users-customers-import-export-for-wp-woocommerce

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/users-customers-import-export-for-wp-woocommerce/export-and-import-users-and-customers-248-authenticated-shop-manager-arbitrary-file-upload

Detailed Report:

The internet can be a dangerous place, and nowhere is that more apparent than in the world of content management systems like WordPress. Case in point: A serious vulnerability was recently disclosed in the popular Export and Import Users and Customers plugin that leaves over 70,000 websites exposed to potential compromise. If you use this plugin, updating to the latest fixed version is critical.

About the Plugin

The Export and Import Users and Customers plugin, with over 2 million downloads and 70,000 active installs, allows owners of WooCommerce stores to easily export user data to a CSV file and import new users from CSV files. It’s a useful tool for managing customers at scale. However, several vulnerabilities have been discovered in the past that require timely patching.

The Vulnerability

Researcher István Márton recently found that the plugin does not properly validate file uploads, enabling authenticated users with at least Shop Manager level access to upload dangerous files of any type to the server. This arbitrary remote code execution vulnerability is categorized as CVE-2023-6558 with a CVSS severity score of 7.2 (High).

Risks

This vulnerability means Shop Managers could potentially fully compromise WooCommerce sites by uploading and executing malicious scripts. This presents a serious risk, as compromised sites could have customer data stolen, malicious content injected, publicly defaced, held for ransom, or used to attack others. Over 70,000 sites currently remain vulnerable.

Patching to Prevent Compromise

The Export and Import Users plugin developers acted swiftly in releasing version 2.4.9 that patches this flaw by restricting uploads to expected Excel and CSV file types. Users of vulnerable 2.4.8 and earlier releases are urged to update immediately.

Past Vulnerabilities

This is actually the fourth significant security flaw uncovered in the past two years according to Wordfence’s threat database, indicating the plugin has not had sufficient security QA. Reason for extra caution.

Concluding Security Advice

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WordPress Plugin Vulnerability Report – Export and Import Users and Customers – Authenticated (Shop Manager+) Arbitrary File Upload – CVE-2023-6558 FAQs

Leave a Comment