The Customizer Export/Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the '_import' function in all versions up to, and including, 0.9.7. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: This vulnerability is only exploitable when used in conjunction with a race condition as the uploaded file is deleted shortly after it is created.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.019}

epss

{'score': 0.02139}


Thu, 10 Jul 2025 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Fastlinemedia
Fastlinemedia customizer Export\/import
CPEs cpe:2.3:a:fastlinemedia:customizer_export\/import:*:*:*:*:*:wordpress:*:*
Vendors & Products Fastlinemedia
Fastlinemedia customizer Export\/import

Mon, 09 Sep 2024 15:30:00 +0000

Type Values Removed Values Added
First Time appeared The Beaver Builder Team
The Beaver Builder Team cutomizer Export\/import
CPEs cpe:2.3:a:the_beaver_builder_team:cutomizer_export\/import:*:*:*:*:*:*:*:*
Vendors & Products The Beaver Builder Team
The Beaver Builder Team cutomizer Export\/import
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sat, 07 Sep 2024 11:30:00 +0000

Type Values Removed Values Added
Description The Customizer Export/Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the '_import' function in all versions up to, and including, 0.9.7. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: This vulnerability is only exploitable when used in conjunction with a race condition as the uploaded file is deleted shortly after it is created.
Title Customizer Export/Import <= 0.9.7 - Authenticated (Admin+) Arbitrary File Upload via Customization Settings Import
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2024-09-09T15:04:28.756Z

Reserved: 2024-08-08T16:57:49.287Z

Link: CVE-2024-7620

cve-icon Vulnrichment

Updated: 2024-09-09T15:04:21.549Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-07T12:15:12.550

Modified: 2025-07-10T15:26:45.433

Link: CVE-2024-7620

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.