Export and Import Users and Customers WordPress Plugin PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the Export and Import Users and Customers plugin for WordPress, affecting all versions through 2.6.2. The vulnerability arises from the deserialization of untrusted data in the 'form_data' parameter, allowing authenticated attackers with Administrator-level access to inject PHP objects. However, this vulnerability has no impact on its own, as there is no known object injection chain in the vulnerable plugin. The issue could be exploited if another plugin or theme with a suitable object injection chain is installed, potentially leading to actions such as deleting files, accessing sensitive information, or executing code, depending on the nature of the injected object chain.

Impact

Exploitation of this vulnerability could lead to unauthorized PHP object injection, with potential consequences depending on the presence of an object injection chain in another installed plugin or theme.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can upload a CSV file through the import feature of the 'Export and Import Users and Customers' WordPress plugin. The uploaded file can be crafted to include serialized PHP objects in the 'form_data' parameter, which the plugin will unserialize without proper validation, allowing for object injection.

Remediation

Users are advised to update the Export and Import Users and Customers WordPress plugin to version 2.6.3 or later.