CVE-2025-1971
📋 TL;DR
This CVE describes a PHP Object Injection vulnerability in the Export and Import Users and Customers WordPress plugin. Authenticated attackers with Administrator-level access can exploit deserialization of untrusted input, but impact requires a separate POP chain from another plugin/theme. Only WordPress sites using this specific plugin are affected.
💻 Affected Systems
- Export and Import Users and Customers WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
If combined with a POP chain from another plugin/theme, attackers could execute arbitrary code, delete files, or exfiltrate sensitive data, potentially leading to complete site compromise.
Likely Case
Limited impact since no POP chain exists in the vulnerable plugin itself; exploitation requires specific additional vulnerable components that may not be present.
If Mitigated
With proper access controls limiting Administrator accounts and regular plugin updates, impact is minimal to none.
🎯 Exploit Status
Exploitation requires Administrator credentials and presence of a POP chain in another plugin/theme. No known POP chain exists in the vulnerable plugin itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 2.6.2
Vendor Advisory: https://wordpress.org/plugins/users-customers-import-export-for-wp-woocommerce/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Export and Import Users and Customers' plugin. 4. Click 'Update Now' if available, or manually update to latest version. 5. Verify plugin version is above 2.6.2.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the plugin until patched version is available
Restrict Administrator accounts
allMinimize number of Administrator accounts and implement strong authentication
🧯 If You Can't Patch
- Remove the plugin entirely if not essential
- Implement web application firewall rules to block requests containing serialized PHP objects
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for 'Export and Import Users and Customers' plugin version 2.6.2 or lowerCheck Version:
wp plugin list --name='Export and Import Users and Customers' --field=versionVerify Fix Applied:
Verify plugin version is above 2.6.2 in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with 'form_data' parameter containing serialized data
- Multiple failed authentication attempts followed by successful Administrator login
Network Indicators:
- HTTP requests with serialized PHP objects in POST data to WordPress admin endpoints
SIEM Query:
source="wordpress_logs" AND (url_path="/wp-admin/admin-ajax.php" AND post_data CONTAINS "form_data" AND post_data MATCHES "O:[0-9]+:")🔗 References
- https://plugins.trac.wordpress.org/browser/users-customers-import-export-for-wp-woocommerce/trunk/admin/modules/export/classes/class-export-ajax.php
- https://plugins.trac.wordpress.org/browser/users-customers-import-export-for-wp-woocommerce/trunk/admin/modules/import/classes/class-import-ajax.php
- https://plugins.trac.wordpress.org/changeset/3259688/
- https://wordpress.org/plugins/users-customers-import-export-for-wp-woocommerce/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4b24b3d2-589f-47b2-bcdd-bebc87cafeda?source=cve
