Description
Missing Authorization vulnerability in WebToffee Comments Import & Export comments-import-export-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comments Import & Export: from n/a through <= 2.4.9.
Published: 2026-03-25
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Immediate Patch
AI Analysis

Impact

A Missing Authorization flaw in the WebToffee Comments Import & Export plugin allows exploitation of incorrectly configured access control security levels. This flaw lets an attacker trigger the plugin’s import or export functions without the required authorization, potentially giving unauthorized access to comment data and the ability to import potentially malicious data.

Affected Systems

WordPress sites that include the WebToffee Comments Import & Export plugin in any version up to and including 2.4.9 are affected. The issue is present in all releases preceding that version, regardless of the hosting environment.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.7, indicating high severity, but the EPSS score is below 1%, suggesting a low current exploitation probability. It is not listed in CISA's KEV catalog. The likely attack vector is a web‑based exploitation of the plugin’s import/export endpoints that lack proper authentication checks. Attackers could target these endpoints from any authenticated user or even from an unauthenticated visitor if the site allows the plugin to be accessed before login.

Generated by OpenCVE AI on March 26, 2026 at 20:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Comments Import & Export plugin to the newest release available from WebToffee.
  • If an update cannot be applied immediately, restrict the plugin’s functionality to administrator accounts or disable it until a patch is available.
  • Verify that no legacy versions of the plugin remain installed in your WordPress environment.
  • Monitor WordPress logs for unexpected import or export activity.

Generated by OpenCVE AI on March 26, 2026 at 20:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Webtoffee
Webtoffee wordpress Comments Import And Export
Wordpress
Wordpress wordpress
Vendors & Products Webtoffee
Webtoffee wordpress Comments Import And Export
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WebToffee Comments Import & Export comments-import-export-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comments Import & Export: from n/a through <= 2.4.9.
Title WordPress Comments Import & Export plugin <= 2.4.9 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Webtoffee Wordpress Comments Import And Export
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T19:12:45.830Z

Reserved: 2026-03-12T11:11:35.693Z

Link: CVE-2026-32441

cve-icon Vulnrichment

Updated: 2026-03-26T19:11:19.611Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:59.050

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-32441

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:13Z

Weaknesses