<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1462084720533760&amp;ev=PageView&amp;noscript=1">
Vulnerability Report

CVE-2020-22277 Import Export Users Customers WordPress Plugin CMDI

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.

Vulnerability Summary

Import and Export Users and Customers WordPress Plugin through 1.15.5.11 allows CSV injection via a customer's profile. Per vendor, this plugin is clean and easy-to-use Import users’ plugin. It includes custom user meta to be included automatically from a CSV file and delimitation auto-detector. It also can send a mail to each user imported and all the meta data imported is ready to edit into user profile.

Watch the video to learn more about this and other important vulnerabilities.

CVSS Score

The CVSS Base Score is 8.0 (High)

Affected Version

Import and export Users and Customers WordPress Plugin 1.15.5.11

Vulnerability Attribution

Mohamad Pishdar - Web security specialist in Imam Khomeini International University Cert Center (cert.ikiu.ac.ir)-IRAN

Risk Impact

Clean and easy-to-use Import users’ plugin. It includes custom user meta to be included automatically from a CSV file and delimitation auto-detector. It also can send a mail to each user imported and all the meta data imported is ready to edit into user profile. A successful exploitation of this vulnerability results in remote code execution. Public exploit is available here.

Virsec Security Platform (VSP) Support

The Virsec Security Platform (VSP)-Web can detect this attack as a Command Injection attack. VSP-Host monitors processes that are spawned which are not part of a set of whitelisted process. Any attempt to execute new command or unknown binary would be denied by VSP-Host’s Process and Script Monitoring capability.

Reference Links

Download the full vulnerability report to learn more about this and other important vulnerabilities.