WordPress Export and Import Users and Customers Plugin Arbitrary File Deletion Vulnerability

A vulnerability allowing authenticated users with Administrator-level access to delete arbitrary log files on the server has been identified in the WordPress Export and Import Users and Customers plugin, versions 2.6.2 and prior. This issue arises from inadequate validation of file paths in the 'admin_log_page' function, which could be exploited to perform unauthorized file deletions.

Impact

Exploitation of this vulnerability allows for limited arbitrary file deletion on the server.

Reproduction

The vulnerability can be reproduced by an authenticated user with Administrator privileges. When the 'admin_log_page' is accessed, the plugin does not properly validate the file paths of log files intended for deletion. This lack of validation can be exploited to delete specific log files from the server.

Remediation

Users are advised to update the WordPress Export and Import Users and Customers plugin to version 2.6.3 or later.