Description
The Export and Import Users and Customers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.2 via the validate_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2025-03-22
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery via validate_file
Action: Immediate Patch
AI Analysis

Impact

The Export and Import Users and Customers WordPress plugin suffers from a Server‑Side Request Forgery vulnerability in versions up to and including 2.6.2. The flaw resides in the validate_file() function, which does not properly restrict the locations that can be requested. Authenticated attackers who possess Administrator-level credentials can trigger the function to perform HTTP or HTTPS requests to arbitrary internal or external endpoints from the web server. This enables the attacker to read from, modify, or otherwise interact with sensitive internal services, thereby compromising confidentiality, integrity, and potentially availability of those services over the course of the request. The vulnerability is classified as CWE‑918, a classic SSFR weakness.

Affected Systems

The affected product is the WordPress plugin "Export and Import Users and Customers" from WebToffee, with all versions 2.6.2 and earlier. Administrators or higher privileged users operating within any WordPress site that hosts the plugin are within the scope of the vulnerability.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity, but the EPSS score of less than 1% suggests that the demonstrated exploitation likelihood is low at present. Even though the vulnerability requires authenticated administrative access—an access level that is reasonably restrictive—the presence of the flaw still represents a serious internal threat, particularly if the WordPress installation is exposed to a wider threat surface or if privileged accounts are compromised. The vulnerability is not listed in the CISA KEV catalog, so no publicly documented exploits are yet claimed in that database. Nonetheless, the nature of the flaw makes it a strong candidate for preemptive remediation.

Generated by OpenCVE AI on April 21, 2026 at 21:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Export and Import Users and Customers plugin to a version newer than 2.6.2 that contains the SSFR fix.
  • If an upgrade cannot be performed immediately, deactivate or remove the plugin from the WordPress site until a patched version is available, ensuring that no authenticated user can invoke the vulnerable function.
  • Apply the principle of least privilege by limiting Administrator access to trusted personnel and audit the current administrator roles to confirm that none are unnecessarily privileged.

Generated by OpenCVE AI on April 21, 2026 at 21:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7281 The Export and Import Users and Customers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.2 via the validate_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
History

Wed, 09 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Webtoffee
Webtoffee import Export Wordpress Users
CPEs cpe:2.3:a:webtoffee:import_export_wordpress_users:*:*:*:*:*:wordpress:*:*
Vendors & Products Webtoffee
Webtoffee import Export Wordpress Users

Mon, 24 Mar 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 22 Mar 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Export and Import Users and Customers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.2 via the validate_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title Export and Import Users and Customers <= 2.6.2 - Authenticated (Administrator+) Server-Side Request Forgery via validate_file Function
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Webtoffee Import Export Wordpress Users
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:00.424Z

Reserved: 2025-03-04T20:47:39.778Z

Link: CVE-2025-1970

cve-icon Vulnrichment

Updated: 2025-03-24T19:22:42.857Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-22T12:15:25.797

Modified: 2025-07-09T17:57:31.420

Link: CVE-2025-1970

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:00:26Z

Weaknesses