Export and Import Users and Customers <= 2.6.2 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Read via download_file Function
Description
The Export and Import Users and Customers plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.6.2 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated administrators can read arbitrary log files on the server via path traversal in the Export and Import Users and Customers plugin (≤2.6.2).
Vulnerability
The Export and Import Users and Customers plugin for WordPress (versions up to and including 2.6.2) contains a path traversal vulnerability in the download_file() function. This allows authenticated attackers with Administrator-level access or higher to read arbitrary log files from the server file system. The plugin is developed by WebToffee and is available on the WordPress plugin repository. The affected versions are all releases prior to 2.7.3. [1]
Exploitation
An attacker must have Administrator-level privileges on the WordPress site. No additional authentication is required beyond that. The attacker exploits the download_file() function by manipulating file path parameters to traverse directories and read arbitrary .log files (or other files with appropriate extensions) stored on the server. The exact sequence involves sending a crafted request that includes path traversal sequences such as ../ to navigate to sensitive log directories. The vulnerability does not require any user interaction or special network position, as it can be triggered via HTTP requests to the WordPress admin interface. [1]
Impact
Successful exploitation allows an attacker to read the contents of arbitrary log files on the server. These log files may contain sensitive information such as database credentials, error messages, internal paths, or personal data. The compromise is limited to file read access; no write or execute capabilities are gained. The information disclosure can lead to further attacks if the exposed data includes secrets or PII. [1]
Mitigation
A patched version (2.7.3) was released on 2026-05-07, according to the WordPress plugin directory. Users should update to version 2.7.3 or later immediately. For sites that cannot be updated, the only workaround is to restrict Administrator-level access to trusted users only, as the vulnerability requires admin privileges. The plugin is actively maintained and tested up to WordPress 6.9.4. There is no indication that this CVE has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. [1]
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=2.6.2
- webtoffee/Export and Import Users and Customersv5Range: 0
Patches
1r3259688Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/users-customers-import-export-for-wp-woocommerce/trunk/admin/modules/history/history.phpmitre
- plugins.trac.wordpress.org/changeset/3259688/mitre
- wordpress.org/plugins/users-customers-import-export-for-wp-woocommerce/mitre
- www.wordfence.com/threat-intel/vulnerabilities/id/13b7a2e4-59f4-4d61-a165-a830ccfb696amitre
News mentions
0No linked articles in our index yet.