CVE-2024-13562
Published: 25 January 2025
Description
The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.14.5 via the uploads directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/ directory which can contain information like imported or local user data and files.
Security Summary
CVE-2024-13562 is a sensitive information exposure vulnerability (CWE-200) in the Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress, affecting all versions up to and including 2.14.5. The flaw occurs via the uploads directory, where sensitive data is stored insecurely in the /wp-content/uploads/ directory, which can contain information such as imported or local user data and files. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. Exploitation enables them to extract the sensitive data stored in the uploads directory, resulting in high-impact confidentiality loss but no impact on integrity or availability.
Advisories point to mitigation through the patch committed in WordPress plugins trac changeset 3226495. Further details on the vulnerability are available in the Wordfence threat intelligence report.
Details
- CWE(s)