WordPress Import and Export Users and Customers Plugin Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the WordPress Import and Export Users and Customers plugin, affecting all versions through 1.29.7. The issue arises in the 'save_extra_user_profile_fields' function, which fails to properly restrict user meta keys that can be updated via profile fields. Specifically, the 'get_restricted_fields' method does not include sensitive keys like 'wp_capabilities'. This oversight allows unauthenticated attackers to escalate privileges to Administrator by sending a crafted registration request that includes the 'wp_capabilities' meta key. Exploitation requires the 'Show fields in profile' setting to be enabled and a CSV file with a 'wp_capabilities' column header to have been imported previously.

Impact

Exploitation of this vulnerability allows unauthenticated users to gain Administrator privileges on the WordPress site.

Reproduction

To reproduce this vulnerability, first ensure that the 'Show fields in profile' option is activated. Then, import a CSV file that includes a column labeled 'wp_capabilities'. After this import, the vulnerability can be exploited by submitting a registration request that includes the 'wp_capabilities' meta key, which will be accepted and processed due to the lack of proper validation.

Remediation

Users are advised to update the Import and Export Users and Customers plugin to version 2.0 or a later patched version.