Description
The Export and Import Users and Customers plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.6.2 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information.
Published: 2025-03-22
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated Arbitrary File Read
Action: Update Plugin
AI Analysis

Impact

The Export and Import Users and Customers plugin, used within WordPress, contains a directory traversal flaw in the download_file() function. This weakness (CWE‑22) allows an attacker who has authenticated Administrator or higher privileges to read the contents of any file on the server by crafting a path traversal request. The plugin could expose log files that may hold sensitive data, therefore compromising confidentiality of those files.

Affected Systems

All WordPress sites that have the Webtoffee Export and Import Users and Customers plugin installed on version 2.6.2 or earlier. The vulnerability is specifically tied to the plugin provided by Webtoffee and is relevant to WordPress installations that include this plugin.

Risk and Exploitability

The CVSS score for this issue is 4.9, indicating moderate severity. The EPSS score of less than 1% reflects a very low but non‑zero probability of exploitation in the current environment. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authorized Administrator or higher account, meaning the danger arises from credential compromise or mis‑assigned privileges rather than from direct unauthenticated access.

Generated by OpenCVE AI on April 22, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Export and Import Users and Customers plugin to version 2.6.3 or later.
  • If an update is not immediately feasible, remove or disable the download_file() functionality or restrict it so that it cannot access directories outside the intended export folder.
  • Restrict the number of Administrator‑level accounts and enforce least‑privilege principles so that only essential personnel retain high‑level access.

Generated by OpenCVE AI on April 22, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7279 The Export and Import Users and Customers plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.6.2 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information.
History

Wed, 09 Jul 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Webtoffee
Webtoffee import Export Wordpress Users
CPEs cpe:2.3:a:webtoffee:import_export_wordpress_users:*:*:*:*:*:wordpress:*:*
Vendors & Products Webtoffee
Webtoffee import Export Wordpress Users

Mon, 24 Mar 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 22 Mar 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Export and Import Users and Customers plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.6.2 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information.
Title Export and Import Users and Customers <= 2.6.2 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Read via download_file Function
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Webtoffee Import Export Wordpress Users
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:41.274Z

Reserved: 2025-03-04T21:06:31.898Z

Link: CVE-2025-1973

cve-icon Vulnrichment

Updated: 2025-03-24T17:36:18.048Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-22T12:15:26.653

Modified: 2025-07-09T17:43:34.383

Link: CVE-2025-1973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:45:22Z

Weaknesses