WebToffee Comments Import Export
Moderate fix1 remedy
cpe:2.3:a:webtoffee:wordpress_comments_import_and_export:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 2.4.3
WordPress Comments Import & Export Plugin Data Modification Vulnerability
Vulnerability
Patched
A vulnerability exists in the WordPress Comments Import & Export plugin for WooCommerce, affecting all versions prior to 2.4.4. The issue stems from a missing capability check in the save_settings function, which allows unauthorized data modification. Additionally, the plugin inadequately sanitizes and escapes FTP settings, enabling authenticated attackers with Subscriber-level access or higher to inject arbitrary web scripts into the plugin's settings page. These scripts would execute when an administrative user accesses the modified page.
Impact
Exploitation of this vulnerability could lead to unauthorized data modification and the injection of malicious scripts that execute in the context of an admin user.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access can inject scripts into the FTP settings fields. After saving the settings, the injected scripts will run when an admin user visits the Comments Import/Export plugin settings page.
Remediation
Users are advised to update the WordPress Comments Import & Export plugin for WooCommerce to version 2.4.4 or later.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
5.4exploitability
6.2remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.