WordPress Plugin Vulnerability Report – Import and export users and customers – Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode – CVE-2023-6624
Plugin Name: Import and export users and customers
Key Information:
- Software Type: Plugin
- Software Slug: import-users-from-csv-with-meta
- Software Status: Active
- Software Author: carazo
- Software Downloads: 3,901,440
- Active Installs: 80,000
- Last Updated: December 11, 2023
- Patched Versions:
- Affected Versions:
Vulnerability Details:
- Name: Import and export users and customers <= 1.24.3 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
- Title: Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
- Type: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- CVE: CVE-2023-6624
- CVSS Score: 4.9 (Medium)
- Publicly Published: December 11, 2023
- Researcher: Rafshanzani Suhada
- Description: The Import and export users and customers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.24.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Import and export users and customers for WordPress has a vulnerability in versions up to and including 1.24.3 that allows for stored cross-site scripting by authenticated users with contributor-level access or higher. This vulnerability has not yet been patched.
Detailed Overview:
This vulnerability exists due to insufficient sanitization of user input and output escaping in the plugin's shortcode functionality. An attacker with contributor access or higher can supply malicious script content via shortcode attributes that will then be stored in the database and rendered on the front-end whenever a user views a post or page containing the injected shortcode. This can lead to the execution of arbitrary JavaScript code by admin users and other high privilege users when they view the malicious post/page.
Advice for Users:
- Immediate Action: There is no patched version available yet. Disable the plugin functionality to mitigate risk until a patch is released.
- Check for Signs of Vulnerability: Review posts and pages created by lower privilege users such as contributors for unexpected shortcode output that could signal an attack.
- Alternate Plugins: Consider using an alternate plugin for user/customer import/export functionality until this plugin has addressed the vulnerability, such as User Import Export or WP All Import.
- Stay Updated: Monitor the plugin developer's website and Wordfence for updates regarding new patched plugin versions to upgrade to urgently once available.
Conclusion:
This stored XSS vulnerability requires timely action from the plugin developers to patch, as it leaves admin and high privilege WordPress users open to attack from lower level contributors. Users should proactively monitor communications channels for updates, disable plugin functionality in the interim, and consider alternate plugins with similar functionality that do not contain this vulnerability.
References:
Detailed Report:
Keeping your WordPress website and its plugins up-to-date is critical for security. Unfortunately, many site owners fail to regularly update and patch vulnerabilities that leave their sites open to attack.
Case in point: a serious stored cross-site scripting (XSS) vulnerability was recently disclosed in the popular WordPress plugin, Import and export users and customers, which has over 3 million downloads. This plugin allows importing and exporting of WordPress users and customers to CSV files.
Versions up to and including 1.24.3 of this plugin contain a vulnerability that allows authenticated users with contributor access or higher privileges to inject malicious scripts into pages and posts. These scripts will then execute when administrators view those injected pages, essentially elevating the permissions of lower level users to compromise high level admin accounts.
Specifically, the vulnerability exists due to insufficient sanitization of user input and output escaping in the plugin's shortcode functionality. By supplying malicious script content via shortcode attributes, an attacker can store their payload in the database to be rendered later. When admins and other high privilege users view affected pages, the scripts will then execute in their browser sessions.
This stored XSS vulnerability leaves WordPress sites that use this plugin open to serious compromise. Attackers may be able to steal admin session cookies, take over accounts, access confidential data, or use compromised admin accounts to install backdoors.
Unfortunately at this time no patch is yet available from the plugin developers. The only way to mitigate the risk is to immediately disable the Import and export users and customers plugin functionality.
For small business owners with limited time and resources to dedicate to security management, this situation highlights the critical importance of staying on top of vulnerabilities in the tools you depend on to run your site. We recommend:
- Enabling automatic background updates for all WordPress plugins whenever possible
- Actively monitoring notification feeds about newly discovered vulnerabilities
- Being ready to quickly disable or replace vulnerable plugins
- Considering managed WordPress hosting providers that handle security patching for you
Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.
Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.
