CVE-2024-34815

The WordPress plugin "Import and export users and customers" by Javier Carazo is vulnerable to a broken access control issue in versions up to 1.26.5. The vulnerability stems from missing authorization checks, allowing unprivileged users to perform actions that should be restricted to higher-privileged roles [1][2].

An attacker can exploit this by sending crafted requests without proper authentication or nonce validation, potentially gaining the ability to import or export user data, including sensitive information. The attack does not require prior authentication and can be executed remotely, increasing the risk of mass exploitation [1].

The impact includes unauthorized access to user data, modification of user roles, or other administrative actions. This type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Mitigation is available by updating the plugin to version 1.26.6 or later. Patchstack has also issued a mitigation rule to block attacks until the update is applied [2].