WordPress Import and Export Users and Customers Plugin Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the WordPress Import and Export Users and Customers plugin, affecting all versions up to and including 2.0.8. The vulnerability arises in the 'save_extra_user_profile_fields()' function, where an incomplete blocklist allows capability meta keys for subsites in a WordPress Multisite network to bypass restrictions and be written directly to user meta. This flaw enables authenticated attackers with Subscriber-level access and above to escalate their privileges to Administrator on any subsite within the network by submitting a crafted profile update.

Impact

Exploitation of this vulnerability allows authenticated users with Subscriber-level access to escalate their privileges to Administrator on any subsite within the WordPress Multisite network.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access must first ensure that an administrator has imported a CSV file containing multisite-prefixed capability column headers into the WordPress Import and Export Users and Customers plugin. The 'Show fields in profile?' option must also be enabled, which exposes those keys as editable fields on the user profile page. Once these conditions are met, the user can submit a profile update through the '/wp-admin/profile.php' page, including the crafted data that exploits the vulnerability.

Remediation

Users are advised to update the WordPress Import and Export Users and Customers plugin to version 2.0.9 or a newer patched version.