CVE-2024-13562 – The Import WP plugin for WordPress exposes sens... (How to Fix)

📋 TL;DR

The Import WP plugin for WordPress exposes sensitive data stored in the uploads directory to unauthenticated attackers. This vulnerability affects all WordPress sites using Import WP version 2.14.5 or earlier, allowing attackers to extract imported user data and files without authentication.

💻 Affected Systems

Products:

Import WP – Export and Import CSV and XML files to WordPress

Versions: All versions up to and including 2.14.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with the vulnerable plugin version are affected regardless of configuration.

📦 What is this software?

Import Wp by Importwp

View all CVEs affecting Import Wp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could extract sensitive user data including personally identifiable information, credentials, or proprietary business data, leading to data breaches, regulatory violations, and reputational damage.

🟠

Likely Case

Attackers will scan for vulnerable sites and extract any accessible sensitive data from the uploads directory, potentially exposing user information and imported files.

🟢

If Mitigated

With proper access controls and directory restrictions, impact is limited to non-sensitive data or prevented entirely through proper file permissions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only web access to the vulnerable uploads directory path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2.14.6 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3226495/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Import WP – Export and Import CSV and XML files'
4. Click 'Update Now' if available
5. Alternatively, download version 2.14.6+ from WordPress repository
6. Deactivate, delete old version, upload and activate new version

🔧 Temporary Workarounds

Restrict uploads directory access

Apache

Add .htaccess rules to block direct access to sensitive uploads directories

# Add to .htaccess in wp-content/uploads/
Order Allow,Deny
Deny from all

Move sensitive data

all

Relocate sensitive imported files outside the publicly accessible uploads directory

🧯 If You Can't Patch

Deactivate and remove the Import WP plugin immediately
Implement web application firewall rules to block access to sensitive upload paths

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for Import WP version 2.14.5 or earlier

Check Version:

wp plugin list --name='import-wp' --field=version

Verify Fix Applied:

Verify plugin version is 2.14.6 or later and test that /wp-content/uploads/import-wp/ directories are not publicly accessible

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to /wp-content/uploads/import-wp/ paths
Multiple 200 responses for uploads directory access from single IPs

Network Indicators:

HTTP requests to /wp-content/uploads/import-wp/* from unauthenticated sources
Directory traversal attempts in uploads paths

SIEM Query:

source="web_logs" AND (uri_path="/wp-content/uploads/import-wp/" OR uri_path CONTAINS "/import-wp/") AND status=200 AND user_agent NOT CONTAINS "bot"

📊 Metadata

CVE ID: CVE-2024-13562

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 0.67% exploit probability (70.7th percentile)

Published: January 25, 2025

Last Updated: February 4, 2025

🔗 References

https://plugins.trac.wordpress.org/changeset/3226495/ Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/d6d69ffd-bb39-4fcc-9444-27d1a901e7c9?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13562, you might also want to check these: