CVE-2023-6583 in Import and Export Users and Customers Plugininfo

Summary

by MITRE • 01/11/2024

The Import and export users and customers plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.24.2 via the Recurring Import functionality. This makes it possible for authenticated attackers, with administrator access and above, to read and delete the contents of arbitrary files on the server including wp-config.php, which can contain sensitive information.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 04/11/2026

The vulnerability identified as CVE-2023-6583 affects the Import and export users and customers plugin for WordPress, representing a critical directory traversal flaw that has persisted across all versions up to and including 1.24.2. This security weakness specifically manifests through the plugin's Recurring Import functionality, which allows authenticated attackers with administrator-level privileges or higher to exploit the system's file handling mechanisms. The vulnerability stems from inadequate input validation and sanitization within the plugin's file operations, creating an avenue for malicious file access that extends far beyond normal operational boundaries.

The technical implementation of this vulnerability exploits the plugin's failure to properly validate file paths during import and export operations, particularly when processing recurring import tasks. Attackers can manipulate the file traversal parameters to navigate beyond the intended directory structures and access sensitive system files that should remain protected. The impact is particularly severe because the vulnerability allows for arbitrary file reading and deletion capabilities, meaning an attacker with administrator access can target critical files such as wp-config.php which contains database credentials, authentication keys, and other sensitive configuration data that would compromise the entire WordPress installation and potentially the underlying server infrastructure.

From an operational perspective, this vulnerability creates a significant risk for WordPress administrators who may not fully understand the implications of the plugin's functionality or the security controls in place. The requirement for administrator-level access means that the vulnerability typically requires an attacker to have already compromised administrative credentials, but once achieved, it provides extensive access to sensitive system information. The Recurring Import functionality suggests that the vulnerability could be exploited automatically through scheduled tasks, potentially allowing attackers to maintain persistent access or systematically extract information over time. This makes the vulnerability particularly dangerous in environments where administrative credentials may be compromised through social engineering, weak password practices, or other attack vectors.

The security implications extend beyond simple file access to encompass potential system compromise and data exfiltration. When an attacker can read wp-config.php, they gain access to database connection details, encryption keys, and other critical configuration elements that could enable them to escalate privileges, access databases directly, or launch further attacks against the network. This vulnerability aligns with CWE-22 Directory Traversal and CWE-77 Path Traversal, which specifically address the security risks associated with improper input validation in file system operations. The ATT&CK framework would categorize this vulnerability under T1078 Valid Accounts for the initial access requirement, and potentially T1566 Phishing for the credential compromise that enables exploitation. Organizations should implement immediate mitigations including plugin updates to versions that address the directory traversal issue, strict access controls, regular security audits, and monitoring for unusual file access patterns that might indicate exploitation attempts.

Reservation

12/07/2023

Disclosure

01/11/2024

Moderation

accepted

CPE

ready

EPSS

0.00809

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!