Export and Import Users and Customers <= 2.6.2 - Authenticated (Administrator+) Server-Side Request Forgery via validate_file Function
Description
The Export and Import Users and Customers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.2 via the validate_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Export and Import Users and Customers plugin up to 2.6.2 contains an SSRF vulnerability in validate_file() allowing admin-level attackers to make arbitrary web requests and access internal services.
Vulnerability
The validate_file() function in all versions up to 2.6.2 of the Export and Import Users and Customers plugin for WordPress performs insufficient input validation, allowing an attacker to inject URLs. This function is reachable during file import/export operations.
Exploitation
An authenticated attacker with Administrator-level access can exploit this by providing a malicious URL in the file validation process. No additional privileges or user interaction are required. The function processes the URL and makes a server-side request, enabling the attacker to scan internal networks and interact with internal services.
Impact
Successful exploitation allows the attacker to make HTTP requests to arbitrary internal or external hosts from the WordPress server's context. This can lead to information disclosure from internal services and potentially data modification if those services accept unauthenticated writes. The attacker gains the ability to query and modify information from internal services, escalating beyond typical administrative privileges within the internal network.
Mitigation
The plugin vendor has released version 2.7.3 which fixes the issue, as indicated by the plugin's update history [1]. Users are strongly advised to update to at least 2.7.3. No workarounds are documented. The vulnerability is not listed in CISA's KEV as of the publication date.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=2.6.2
- webtoffee/Export and Import Users and Customersv5Range: 0
Patches
1r3259688Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/users-customers-import-export-for-wp-woocommerce/trunk/admin/modules/import/classes/class-import-ajax.phpmitre
- plugins.trac.wordpress.org/changeset/3259688/mitre
- wordpress.org/plugins/users-customers-import-export-for-wp-woocommerce/mitre
- www.wordfence.com/threat-intel/vulnerabilities/id/5a4d7d40-8e0e-4251-8e25-3fd4ebd3a93emitre
News mentions
0No linked articles in our index yet.