平台
wordpress
组件
users-customers-import-export-for-wp-woocommerce
修复版本
2.6.3
CVE-2025-1970 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Export and Import Users and Customers plugin for WordPress. This flaw allows authenticated attackers, specifically those with Administrator-level access or higher, to initiate web requests to arbitrary locations, effectively leveraging the application to query or modify internal services. The vulnerability impacts versions from 0.0.0 up to and including 2.6.2, but a patch is available in version 2.6.3.
The SSRF vulnerability in Export and Import Users and Customers allows an attacker with administrative privileges to bypass security controls and make requests to internal resources that are otherwise inaccessible from the outside. This could lead to the exposure of sensitive data stored within the internal network, such as database credentials, API keys, or configuration files. An attacker could also potentially use this vulnerability to interact with internal services, potentially leading to data modification or denial of service. The ability to query internal services makes this a significant risk, as it can be used to map the internal network and identify other potential attack vectors.
CVE-2025-1970 was publicly disclosed on 2025-03-22. There are currently no known public exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. While no active exploitation is confirmed, the SSRF nature of the vulnerability and the plugin's popularity warrant prompt mitigation.
WordPress websites utilizing the Export and Import Users and Customers plugin, particularly those with administrator accounts that have not been updated to version 2.6.3, are at risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable if the plugin hasn't been updated across all accounts.
• wordpress / composer / npm:
grep -r 'validate_file()' /var/www/html/wp-content/plugins/export-and-import-users-and-customers/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/export-and-import-users-and-customers/ | grep Serverdisclosure
漏洞利用状态
EPSS
0.16% (37% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-1970 is to immediately upgrade the Export and Import Users and Customers plugin to version 2.6.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block outbound requests to internal IP addresses or sensitive internal endpoints. Additionally, restrict the plugin's access to internal resources by implementing stricter access controls and network segmentation. Regularly review plugin configurations and ensure that only necessary permissions are granted.
将 Export and Import Users and Customers 插件更新到 2.6.3 或更高版本,以缓解服务器端请求伪造漏洞。此更新修复了 `validate_file()` 函数,以防止发起任意网络请求。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-1970 is a Server-Side Request Forgery vulnerability in the Export and Import Users and Customers WordPress plugin, allowing attackers with admin access to make arbitrary web requests.
You are affected if you are using the Export and Import Users and Customers plugin in WordPress versions 0.0.0 through 2.6.2.
Upgrade the plugin to version 2.6.3 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
As of the current disclosure date, there are no confirmed reports of active exploitation, but prompt mitigation is still recommended.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。