CVE-2023-6558
📋 TL;DR
The Export and Import Users and Customers WordPress plugin up to version 2.4.8 has insufficient file type validation in the upload_import_file function, allowing authenticated attackers with shop manager or higher privileges to upload arbitrary files. This can lead to remote code execution on vulnerable WordPress sites.
💻 Affected Systems
- Export and Import Users and Customers WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, allowing attackers to install backdoors, steal data, deface websites, or pivot to other systems.
Likely Case
Website defacement, data theft, or installation of cryptocurrency miners or malware on vulnerable WordPress installations.
If Mitigated
Limited impact if proper file upload restrictions and user privilege controls are in place, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.9
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3008454/users-customers-import-export-for-wp-woocommerce
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Export and Import Users and Customers' plugin. 4. Click 'Update Now' if available, or manually update to version 2.4.9+. 5. Verify the plugin version after update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the plugin until patched
wp plugin deactivate users-customers-import-export-for-wp-woocommerce
Restrict file uploads via .htaccess
linuxBlock PHP file execution in upload directories
Add to .htaccess in uploads directory: <FilesMatch "\.php$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Remove shop manager privileges from untrusted users
- Implement web application firewall rules to block suspicious file uploads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for 'Export and Import Users and Customers' version 2.4.8 or lowerCheck Version:
wp plugin get users-customers-import-export-for-wp-woocommerce --field=versionVerify Fix Applied:
Verify plugin version is 2.4.9 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /wp-content/uploads/ directory
- POST requests to /wp-admin/admin-ajax.php with action=upload_import_file
- PHP file execution from upload directories
Network Indicators:
- HTTP POST requests with file uploads to WordPress admin endpoints
- Unusual outbound connections from web server after file upload
SIEM Query:
source="web_server_logs" AND (uri="/wp-admin/admin-ajax.php" AND parameters.action="upload_import_file")🔗 References
- https://plugins.trac.wordpress.org/browser/users-customers-import-export-for-wp-woocommerce/tags/2.4.7/admin/modules/import/classes/class-import-ajax.php#L124
- https://plugins.trac.wordpress.org/changeset/3008454/users-customers-import-export-for-wp-woocommerce#file197
- https://www.wordfence.com/threat-intel/vulnerabilities/id/55b3e2dc-dc4f-408b-bbc6-da72ed5ad245?source=cve
- https://plugins.trac.wordpress.org/browser/users-customers-import-export-for-wp-woocommerce/tags/2.4.7/admin/modules/import/classes/class-import-ajax.php#L124
- https://plugins.trac.wordpress.org/changeset/3008454/users-customers-import-export-for-wp-woocommerce#file197
- https://www.wordfence.com/threat-intel/vulnerabilities/id/55b3e2dc-dc4f-408b-bbc6-da72ed5ad245?source=cve
