{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1972", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-04T21:03:27.259Z", "datePublished": "2025-03-22T11:18:40.240Z", "dateUpdated": "2026-04-08T16:44:08.977Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:08.977Z"}, "affected": [{"vendor": "webtoffee", "product": "Export and Import Users and Customers", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.6.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server."}], "title": "Export and Import Users and Customers <= 2.6.2 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d443c70-6537-4c6d-a282-12d392f0f558?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/users-customers-import-export-for-wp-woocommerce/trunk/admin/modules/history/history.php#L248"}, {"url": "https://wordpress.org/plugins/users-customers-import-export-for-wp-woocommerce/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3259688/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-73 External Control of File Name or Path", "cweId": "CWE-73", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.7, "baseSeverity": "LOW"}}], "credits": [{"lang": "en", "type": "finder", "value": "Hay Mizrachi"}], "timeline": [{"time": "2025-03-21T23:18:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-24T21:21:32.593042Z", "id": "CVE-2025-1972", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-24T22:01:09.156Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1972", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-24T21:21:32.593042Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-24T21:21:34.364Z"}}], "cna": {"title": "Export and Import Users and Customers <= 2.6.2 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function", "credits": [{"lang": "en", "type": "finder", "value": "Hay Mizrachi"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 2.7, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "webtoffee", "product": "Export and Import Users and Customers", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.6.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-21T23:18:32.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d443c70-6537-4c6d-a282-12d392f0f558?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/users-customers-import-export-for-wp-woocommerce/trunk/admin/modules/history/history.php#L248"}, {"url": "https://wordpress.org/plugins/users-customers-import-export-for-wp-woocommerce/#developers"}, {"url": "https://plugins.trac.wordpress.org/changeset/3259688/"}], "descriptions": [{"lang": "en", "value": "The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:08.977Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1972", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:44:08.977Z", "dateReserved": "2025-03-04T21:03:27.259Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-22T11:18:40.240Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:webtoffee:import_export_wordpress_users:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "2F5A53F0-76A9-4CFE-9557-F72DAAEABCAF", "versionEndExcluding": "2.6.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server."}, {"lang": "es", "value": "El complemento Export and Import Users and Customers para WordPress es vulnerable a la eliminaci\u00f3n arbitraria de archivos debido a una validaci\u00f3n insuficiente de la ruta de archivo en la funci\u00f3n admin_log_page() en todas las versiones hasta la 2.6.2 incluida. Esto permite que atacantes autenticados, con acceso de administrador o superior, eliminen archivos de registro arbitrarios en el servidor."}], "id": "CVE-2025-1972", "lastModified": "2025-07-09T17:46:11.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-22T12:15:26.453", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/users-customers-import-export-for-wp-woocommerce/trunk/admin/modules/history/history.php#L248"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3259688/"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/users-customers-import-export-for-wp-woocommerce/#developers"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d443c70-6537-4c6d-a282-12d392f0f558?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:44:06.114798+00:00", "value": {"mitigation_remediation": ["Upgrade the Export and Import Users and Customers plugin to version 2.6.3 or later to eliminate the flawed path validation.\u00a0", "If the latest version cannot be applied, remove or deactivate the plugin entirely until a fix is available.\u00a0", "Restrict file permissions on the WordPress log directory so that only the web server user can delete files, thereby limiting the impact of any future unpatched path\u2011validation flaws.\u00a0", "Optionally disable or restrict access to the admin_log_page functionality for non\u2011essential administrators to minimize the attack surface."], "summary": {"action": "Patch Update", "impact": "Arbitrary File Deletion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Webtoffee Export and Import Users and Customers WordPress plugin. All versions up to and including 2.6.2 are impacted. Users of this plugin on any WordPress installation should confirm their plugin version.", "description_and_impact": "The Export and Import Users and Customers plugin for WordPress allows an authenticated attacker with Administrator privileges to delete arbitrary log files on the server due to insufficient file path validation in the admin_log_page() function. If exploited, the attacker can remove or tamper with log files, creating a denial\u2011of\u2011service scenario or erasing audit trail evidence. The weakness is classified as CWE\u201173.", "risk_and_exploitability": "The CVSS score of 2.7 indicates low to moderate severity, and the EPSS score of less than 1% suggests exploitation is unlikely but not impossible. The vulnerability is not listed in CISA KEV. Exploitation requires the attacker to be a legitimate WordPress Administrator or higher and to supply a crafted path to the admin_log_page function; the plugin does not perform proper path sanitization, enabling the deletion of any file the web server can access."}}}}, "created": "2026-04-22T17:45:22.927293+00:00", "updated": "2026-04-22T17:45:22.927308+00:00", "vendors": []}