Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total7
Critical0
High1
Medium6
Reset
Showing 1-7 of 7 records
Threat Entry Updated 2026-03-23

CVE-2026-3629 - Import And Export Users And Customers Plugin

The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.29.7. This is due to the 'save_extra_user_profile_fields' function not properly restricting which user meta keys can be updated via profile fields. The 'get_restricted_fields' method does not include sensitive meta keys such as 'wp_capabilities'. This makes it possible for unauthenticated attackers to escalate their privileges to Administrator by submitting a crafted registration request that sets the 'wp_capabilities' meta key. The vulnerability can only be exploited if the "Show fields…

PLUGIN Import And Export Users And Customers

CVE-2026-3629

HIGH CVSS 8.1 2026-03-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4734 - Import And Export Users And Customers Plugin

The Import and export users and customers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.26.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Import And Export Users And Customers

CVE-2024-4734

MEDIUM CVSS 4.4 2024-05-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4656 - Import And Export Users And Customers Plugin

The Import and export users and customers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user agent header in all versions up to, and including, 1.26.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator access and higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Import And Export Users And Customers

CVE-2024-4656

MEDIUM CVSS 4.4 2024-05-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-1050 - Import And Export Users And Customers Plugin

The Import and export users and customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_force_reset_password_delete_metas() function in all versions up to, and including, 1.26.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete all forced password resets.

PLUGIN Import And Export Users And Customers

CVE-2024-1050

MEDIUM CVSS 4.3 2024-05-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6624 - Import And Export Users And Customers Plugin

The Import and export users and customers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.24.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Import And Export Users And Customers

CVE-2023-6624

MEDIUM CVSS 4.9 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6583 - Import And Export Users And Customers Plugin

The Import and export users and customers plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.24.2 via the Recurring Import functionality. This makes it possible for authenticated attackers, with administrator access and above, to read and delete the contents of arbitrary files on the server including wp-config.php, which can contain sensitive information.

PLUGIN Import And Export Users And Customers

CVE-2023-6583

MEDIUM CVSS 6.6 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1255 - Import And Export Users And Customers Plugin

The Import and export users and customers WordPress plugin before 1.19.2.1 does not sanitise and escaped imported CSV data, which could allow high privilege users to import malicious javascript code and lead to Stored Cross-Site Scripting issues

PLUGIN Import And Export Users And Customers

CVE-2022-1255

MEDIUM CVSS 4.8 2022-05-02
Open Full Technical Breakdown
Scroll to top