Plataforma
wordpress
Componente
users-customers-import-export-for-wp-woocommerce
Corregido en
2.6.3
CVE-2025-1970 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Export and Import Users and Customers plugin for WordPress. This flaw allows authenticated attackers, specifically those with Administrator-level access or higher, to initiate web requests to arbitrary locations, effectively leveraging the application to query or modify internal services. The vulnerability impacts versions from 0.0.0 up to and including 2.6.2, but a patch is available in version 2.6.3.
The SSRF vulnerability in Export and Import Users and Customers allows an attacker with administrative privileges to bypass security controls and make requests to internal resources that are otherwise inaccessible from the outside. This could lead to the exposure of sensitive data stored within the internal network, such as database credentials, API keys, or configuration files. An attacker could also potentially use this vulnerability to interact with internal services, potentially leading to data modification or denial of service. The ability to query internal services makes this a significant risk, as it can be used to map the internal network and identify other potential attack vectors.
CVE-2025-1970 was publicly disclosed on 2025-03-22. There are currently no known public exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. While no active exploitation is confirmed, the SSRF nature of the vulnerability and the plugin's popularity warrant prompt mitigation.
WordPress websites utilizing the Export and Import Users and Customers plugin, particularly those with administrator accounts that have not been updated to version 2.6.3, are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable if the plugin hasn't been updated across all accounts.
• wordpress / composer / npm:
grep -r 'validate_file()' /var/www/html/wp-content/plugins/export-and-import-users-and-customers/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/export-and-import-users-and-customers/ | grep Serverdisclosure
Estado del Exploit
EPSS
0.16% (37% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-1970 is to immediately upgrade the Export and Import Users and Customers plugin to version 2.6.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block outbound requests to internal IP addresses or sensitive internal endpoints. Additionally, restrict the plugin's access to internal resources by implementing stricter access controls and network segmentation. Regularly review plugin configurations and ensure that only necessary permissions are granted.
Actualice el plugin Export and Import Users and Customers a la versión 2.6.3 o superior para mitigar la vulnerabilidad de Falsificación de Solicitud del Lado del Servidor. Esta actualización corrige la función `validate_file()` para prevenir solicitudes web arbitrarias.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-1970 is a Server-Side Request Forgery vulnerability in the Export and Import Users and Customers WordPress plugin, allowing attackers with admin access to make arbitrary web requests.
You are affected if you are using the Export and Import Users and Customers plugin in WordPress versions 0.0.0 through 2.6.2.
Upgrade the plugin to version 2.6.3 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
As of the current disclosure date, there are no confirmed reports of active exploitation, but prompt mitigation is still recommended.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.