Description
Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Javier Carazo Import and export users and customers import-users-from-csv-with-meta allows Retrieve Embedded Sensitive Data.This issue affects Import and export users and customers: from n/a through <= 1.27.12.
Published: 2025-01-27
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Import and export users and customers plugin lets attackers write sensitive information into a file or directory that can be accessed from outside the WordPress installation. The exposed data can then be read by anyone who obtains a link to the file, resulting in a loss of confidentiality. This weakness matches CWE‑538, which describes the insertion of sensitive data into an externally accessible file or directory.

Affected Systems

The vulnerability impacts the WordPress plugin "Import and export users and customers" produced by Javier Carazo, also known as import-users-from-csv-with-meta. Versions up to and including 1.27.12 are affected; no lower bound on the vulnerable range is specified.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. The EPSS score of less than 1% shows that exploitation is currently considered unlikely, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need access to the plugin’s functionality—typically via the WordPress admin interface—to generate or download the vulnerable file, so the likely attack vector is remote through the web application.

Generated by OpenCVE AI on May 1, 2026 at 18:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 1.27.12.
  • Restrict file permissions on the upload and export directories so that exported files are not publicly readable.
  • Review the data included in exports and remove any sensitive fields before files are made accessible.

Generated by OpenCVE AI on May 1, 2026 at 18:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3883 Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in codection Import and export users and customers allows Retrieve Embedded Sensitive Data. This issue affects Import and export users and customers: from n/a through 1.27.12.
History

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in codection Import and export users and customers allows Retrieve Embedded Sensitive Data. This issue affects Import and export users and customers: from n/a through 1.27.12. Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Javier Carazo Import and export users and customers import-users-from-csv-with-meta allows Retrieve Embedded Sensitive Data.This issue affects Import and export users and customers: from n/a through <= 1.27.12.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 27 Jan 2025 14:30:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in codection Import and export users and customers allows Retrieve Embedded Sensitive Data. This issue affects Import and export users and customers: from n/a through 1.27.12.
Title WordPress Import and export users and customers plugin 1.27.12 - Sensitive Data Exposure vulnerability
Weaknesses CWE-538
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Codection Import And Export Users And Customers
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:32.050Z

Reserved: 2025-01-23T14:52:14.008Z

Link: CVE-2025-24689

cve-icon Vulnrichment

Updated: 2025-02-12T20:37:47.212Z

cve-icon NVD

Status : Deferred

Published: 2025-01-27T15:15:16.073

Modified: 2026-04-23T15:25:17.543

Link: CVE-2025-24689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:15:22Z

Weaknesses