Vulnerability Patched in Import Export WordPress Users
On February 26th, our Threat Intelligence team discovered a vulnerability in Import Export WordPress Users, a WordPress plugin installed on over 30,000 sites. The flaw allowed anybody with subscriber-level access or above to import new users via a CSV file, including administrative level users.
We reached out to the plugin’s developer on February 26th, who responded that they were currently working on updating their plugin with several security fixes. They released a patch for the problem before we provided the full disclosure of the vulnerability. After the initial release, we provided some additional security recommendations for issues not addressed in that initial release. The plugin’s developer released a patch addressing those concerns shortly thereafter.
This is considered a high severity security issue that could allow attackers to completely take over WordPress sites. We highly recommend updating to the latest version, 1.3.9, immediately.
