Description
The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.
Published: 2025-03-22
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Deletion
Action: Patch Update
AI Analysis

Impact

The Export and Import Users and Customers plugin for WordPress allows an authenticated attacker with Administrator privileges to delete arbitrary log files on the server due to insufficient file path validation in the admin_log_page() function. If exploited, the attacker can remove or tamper with log files, creating a denial‑of‑service scenario or erasing audit trail evidence. The weakness is classified as CWE‑73.

Affected Systems

The vulnerability affects the Webtoffee Export and Import Users and Customers WordPress plugin. All versions up to and including 2.6.2 are impacted. Users of this plugin on any WordPress installation should confirm their plugin version.

Risk and Exploitability

The CVSS score of 2.7 indicates low to moderate severity, and the EPSS score of less than 1% suggests exploitation is unlikely but not impossible. The vulnerability is not listed in CISA KEV. Exploitation requires the attacker to be a legitimate WordPress Administrator or higher and to supply a crafted path to the admin_log_page function; the plugin does not perform proper path sanitization, enabling the deletion of any file the web server can access.

Generated by OpenCVE AI on April 22, 2026 at 17:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Export and Import Users and Customers plugin to version 2.6.3 or later to eliminate the flawed path validation. 
  • If the latest version cannot be applied, remove or deactivate the plugin entirely until a fix is available. 
  • Restrict file permissions on the WordPress log directory so that only the web server user can delete files, thereby limiting the impact of any future unpatched path‑validation flaws. 
  • Optionally disable or restrict access to the admin_log_page functionality for non‑essential administrators to minimize the attack surface.

Generated by OpenCVE AI on April 22, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7283 The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.
History

Wed, 09 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Webtoffee
Webtoffee import Export Wordpress Users
CPEs cpe:2.3:a:webtoffee:import_export_wordpress_users:*:*:*:*:*:wordpress:*:*
Vendors & Products Webtoffee
Webtoffee import Export Wordpress Users

Mon, 24 Mar 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 22 Mar 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.
Title Export and Import Users and Customers <= 2.6.2 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Webtoffee Import Export Wordpress Users
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:08.977Z

Reserved: 2025-03-04T21:03:27.259Z

Link: CVE-2025-1972

cve-icon Vulnrichment

Updated: 2025-03-24T21:21:34.364Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-22T12:15:26.453

Modified: 2025-07-09T17:46:11.870

Link: CVE-2025-1972

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:45:22Z

Weaknesses