Description
The Export and Import Users and Customers plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.2 via deserialization of untrusted input from the 'form_data' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Published: 2025-03-22
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Export and Import Users and Customers plugin for WordPress up to version 2.6.2 is vulnerable to PHP Object Injection through untrusted deserialization of the form_data parameter. An attacker who can authenticate with Administrator privileges can inject a crafted PHP object. The plugin itself does not provide a privilege‑escalation or remote‑code‑execution chain, so the vulnerability is only useful if another component on the site contains a deserialization (POP) chain that can be leveraged.

Affected Systems

Affected systems are WordPress installations that use the Webtoffee Import/Export Users and Customers plugin version 2.6.2 or earlier. The vulnerability applies to any WordPress site, including those running WooCommerce or other e‑commerce configurations where the plugin is installed.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity risk when the conditions are met. The EPSS score of <1% shows that the likelihood of exploitation is extremely low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated admin session and the presence of another plugin or theme with a POP chain; only then can the attacker destroy files, steal data, or execute arbitrary code. Without such a chain, the fault is effectively non‑exploitable.

Generated by OpenCVE AI on May 1, 2026 at 13:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Export and Import Users and Customers plugin to a version newer than 2.6.2 if available, or uninstall it if no updated release exists.
  • Scan the site for other plugins or themes that contain deserialization (POP) chains and either update or remove them.
  • Restrict administrator access and enforce the principle of least privilege to reduce the attack surface.

Generated by OpenCVE AI on May 1, 2026 at 13:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7282 The Export and Import Users and Customers plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.2 via deserialization of untrusted input from the 'form_data' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
History

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 09 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Webtoffee
Webtoffee import Export Wordpress Users
CPEs cpe:2.3:a:webtoffee:import_export_wordpress_users:*:*:*:*:*:wordpress:*:*
Vendors & Products Webtoffee
Webtoffee import Export Wordpress Users

Sat, 22 Mar 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Export and Import Users and Customers plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.2 via deserialization of untrusted input from the 'form_data' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Title Export and Import Users and Customers <= 2.6.2 - Authenticated (Admin+) PHP Object Injection via form_data Parameter
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Webtoffee Import Export Wordpress Users
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:56.687Z

Reserved: 2025-03-04T20:57:52.138Z

Link: CVE-2025-1971

cve-icon Vulnrichment

Updated: 2025-03-24T20:01:34.655Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-22T12:15:26.250

Modified: 2025-07-09T17:50:49.670

Link: CVE-2025-1971

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:45:06Z

Weaknesses