Export and Import Users and Customers <= 2.6.2 - Authenticated (Administrator+) Server-Side Request Forgery via validate_file Functie
Platform
wordpress
Component
users-customers-import-export-for-wp-woocommerce
Opgelost in
2.6.3
CVE-2025-1970 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Export and Import Users and Customers plugin for WordPress. This flaw allows authenticated attackers, specifically those with Administrator-level access or higher, to initiate web requests to arbitrary locations, effectively leveraging the application to query or modify internal services. The vulnerability impacts versions from 0.0.0 up to and including 2.6.2, but a patch is available in version 2.6.3.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
The SSRF vulnerability in Export and Import Users and Customers allows an attacker with administrative privileges to bypass security controls and make requests to internal resources that are otherwise inaccessible from the outside. This could lead to the exposure of sensitive data stored within the internal network, such as database credentials, API keys, or configuration files. An attacker could also potentially use this vulnerability to interact with internal services, potentially leading to data modification or denial of service. The ability to query internal services makes this a significant risk, as it can be used to map the internal network and identify other potential attack vectors.
Uitbuitingscontextwordt vertaald…
CVE-2025-1970 was publicly disclosed on 2025-03-22. There are currently no known public exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. While no active exploitation is confirmed, the SSRF nature of the vulnerability and the plugin's popularity warrant prompt mitigation.
Wie Loopt Risicowordt vertaald…
WordPress websites utilizing the Export and Import Users and Customers plugin, particularly those with administrator accounts that have not been updated to version 2.6.3, are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable if the plugin hasn't been updated across all accounts.
Detectiestappenwordt vertaald…
• wordpress / composer / npm:
grep -r 'validate_file()' /var/www/html/wp-content/plugins/export-and-import-users-and-customers/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/export-and-import-users-and-customers/ | grep ServerAanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.16% (37% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Hoog — beheerder of geprivilegieerd account vereist.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Laag — aanvaller kan enkele gegevens met beperkte omvang aanpassen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Pakketinformatie
- Actieve installaties
- 60KBekend
- Plugin-beoordeling
- 4.8
- Vereist WordPress
- 3.0.1+
- Compatibel tot
- 6.9.4
- Vereist PHP
- 5.6+
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2025-1970 is to immediately upgrade the Export and Import Users and Customers plugin to version 2.6.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block outbound requests to internal IP addresses or sensitive internal endpoints. Additionally, restrict the plugin's access to internal resources by implementing stricter access controls and network segmentation. Regularly review plugin configurations and ensure that only necessary permissions are granted.
Hoe te verhelpen
Werk de Export and Import Users and Customers plugin bij naar versie 2.6.3 of hoger om de Server-Side Request Forgery kwetsbaarheid te mitigeren. Deze update corrigeert de `validate_file()` functie om willekeurige webverzoeken te voorkomen.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-1970 — SSRF in Export and Import Users and Customers?
CVE-2025-1970 is a Server-Side Request Forgery vulnerability in the Export and Import Users and Customers WordPress plugin, allowing attackers with admin access to make arbitrary web requests.
Am I affected by CVE-2025-1970 in Export and Import Users and Customers?
You are affected if you are using the Export and Import Users and Customers plugin in WordPress versions 0.0.0 through 2.6.2.
How do I fix CVE-2025-1970 in Export and Import Users and Customers?
Upgrade the plugin to version 2.6.3 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
Is CVE-2025-1970 being actively exploited?
As of the current disclosure date, there are no confirmed reports of active exploitation, but prompt mitigation is still recommended.
Where can I find the official WordPress advisory for CVE-2025-1970?
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.