Unauthenticated Modification of Data and Potential Administrator Account Takeover in Export and Import Users and Customers Plugin for WordPress

Unauthenticated Modification of Data and Potential Administrator Account Takeover in Export and Import Users and Customers Plugin for WordPress

CVE-2023-3459 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

The Export and Import Users and Customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hf_update_customer' function called via an AJAX action in versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with shop manager-level permissions to change user passwords and potentially take over administrator accounts.

Learn more about our Wordpress Pen Testing.