6.5
CVE-2025-1972
- EPSS 0.21%
- Veröffentlicht 22.03.2025 11:18:40
- Zuletzt bearbeitet 09.07.2025 17:46:11
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginExport and Import Users and Customers <= 2.6.2 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function
The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.
Mögliche Gegenmaßnahme
Export and Import Users and Customers: Update to version 2.6.3, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Export and Import Users and Customers
Version
* - 2.6.2
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Webtoffee ≫ Import Export Wordpress Users SwPlatformwordpress Version < 2.6.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.21% | 0.434 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 1.2 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
|
| security@wordfence.com | 2.7 | 1.2 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
|
CWE-73 External Control of File Name or Path
The product allows user input to control or influence paths or file names that are used in filesystem operations.