CVE-2024-22151 – This CVE describes a Missing Authorization vuln... (How to Fix)

Q: What is the severity of CVE-2024-22151?

CVE-2024-22151 has a CVSS score of 5.3 (MEDIUM). This CVE describes a Missing Authorization vulnerability in the WordPress 'Import and export users and customers' plugin. It allows unauthorized users to access functionality intended only for administrators, potentially enabling user data export or import operations. All WordPress sites using affected plugin versions are vulnerable.

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in the WordPress 'Import and export users and customers' plugin. It allows unauthorized users to access functionality intended only for administrators, potentially enabling user data export or import operations. All WordPress sites using affected plugin versions are vulnerable.

💻 Affected Systems

Products:

WordPress Import and export users and customers plugin

Versions: n/a through 1.24.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations using the vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

Import And Export Users And Customers by Codection

View all CVEs affecting Import And Export Users And Customers →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthenticated attackers could export all user data including sensitive information, or import malicious users with administrative privileges, leading to complete site compromise.

🟠

Likely Case

Attackers with basic user accounts could access administrative import/export functions, potentially exposing user data or manipulating user accounts.

🟢

If Mitigated

With proper access controls, only authenticated administrators could access these functions, limiting exposure to trusted personnel.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires at least some level of user access, but detailed exploit methods are not publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.24.7 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/import-users-from-csv-with-meta/wordpress-import-and-export-users-and-customers-plugin-1-24-6-broken-access-control-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Import and export users and customers'. 4. Click 'Update Now' if available, or download version 1.24.7+ from WordPress repository. 5. Replace plugin files if manual update required.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate import-users-from-csv-with-meta

Restrict Access via .htaccess

linux

Block access to plugin directories for non-administrative users

# Add to .htaccess in plugin directory:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1

🧯 If You Can't Patch

Implement strict network access controls to limit who can access the WordPress admin interface
Enable detailed logging and monitoring for any import/export user activities

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins, find 'Import and export users and customers' and check version number

Check Version:

wp plugin get import-users-from-csv-with-meta --field=version

Verify Fix Applied:

Verify plugin version is 1.24.7 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /wp-admin/admin.php?page=acui* endpoints
Unexpected user export or import operations from non-admin accounts

Network Indicators:

HTTP requests to import/export endpoints from unauthorized IP addresses

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin.php" AND uri_query="page=acui*") AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2024-22151

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

Published: June 8, 2024

Last Updated: July 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22151, you might also want to check these: