Headline
CVE-2023-3459: Changeset 2938705 for users-customers-import-export-for-wp-woocommerce – WordPress Plugin Repository
The Export and Import Users and Customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘hf_update_customer’ function called via an AJAX action in versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with shop manager-level permissions to change user passwords and potentially take over administrator accounts.
users-customers-import-export-for-wp-woocommerce/trunk/admin/css/wt-import-export-for-woo-admin.css
r2884206
r2938705
306
306
/* to enable “word-break: break-all” */
307
307
padding: 5px;
308
word-break: break-all; /* 4. */
308
word-break: normal; /* 4. */
309
309
}
310
310
users-customers-import-export-for-wp-woocommerce/trunk/admin/modules/user/data/data-user-columns.php
r2912763
r2938705
68
68
$columns\['shipping\_state'\] = 'shipping\_state';
69
69
$columns\['shipping\_country'\] = 'shipping\_country';
70
$columns\['wc\_last\_active'\] = 'wc\_last\_active';
70
71
71
72
endif;
users-customers-import-export-for-wp-woocommerce/trunk/admin/modules/user/data/data/data-wf-reserved-fields-pair.php
r2912763
r2938705
63
63
$columns\['shipping\_state'\] = array('title'=>'Shipping state','description'=>'');
64
64
$columns\['shipping\_country'\] = array('title'=>'Shipping country','description'=>'');
65
65
$columns\['wc\_last\_active'\] =array('title'=>'Wc last active','description'=>'');
66
66
endif;
67
67
users-customers-import-export-for-wp-woocommerce/trunk/admin/modules/user/export/export.php
r2912763
r2938705
177
177
global $wpdb;
178
178
$csv\_columns = $this->parent\_module->get\_selected\_column\_names();
179
179
180
180
$user = get\_user\_by('id', $id);
181
182
181
$customer\_data = array();
182
183
183
foreach ($csv\_columns as $key => $value) {
184
184
…
…
215
215
continue;
216
216
}
217
if( $key == 'last\_update'){
218
$date\_in\_timestamp = (!empty($user->{$key})) ? $user->{$key} : 0;
219
$customer\_data\[$key\] = date('Y-m-d H:i:s', $date\_in\_timestamp);
220
continue;
221
}
222
if($key == 'wc\_last\_active'){
223
$date\_in\_timestamp = (!empty($user->{$key})) ? $user->{$key} : 0;
224
$customer\_data\[$key\] = date('Y-m-d', $date\_in\_timestamp);
225
continue;
226
}
227
217
228
218
229
$customer\_data\[$key\] = isset($user->{$key}) ? maybe\_serialize($user->{$key}) : '';
users-customers-import-export-for-wp-woocommerce/trunk/admin/modules/user/import/import.php
r2846895
r2938705
12
12
public $parent\_module = null;
13
13
public $parsed\_data = array();
14
public $user\_all\_fields = array();
15
public $user\_base\_fields = array();
16
public $use\_same\_password = array();
17
public $user\_meta\_fields = array();
18
public $current\_user = array();
14
19
15
20
…
…
33
38
public function \_\_construct($parent\_object) {
34
39
40
$this->current\_user = get\_current\_user\_id();
35
41
$this->parent\_module = $parent\_object;
36
42
$this->user\_all\_fields = include plugin\_dir\_path( \_\_FILE\_\_).'../data/data-user-columns.php';
…
…
127
133
\*/
128
134
public function parse\_users( $data ) {
129
135
130
136
try{
131
137
$data = apply\_filters('wt\_user\_importer\_pre\_parse\_data', $data);
…
…
222
228
223
229
foreach ($this->user\_meta\_fields as $key => $value){
230
if($key == 'wc\_last\_active' || $key == 'last\_update'){
231
$date = isset( $item\[$key\] ) ? trim($item\[$key\]) : "" ;
232
$item\[$key\] = strtotime($date);
233
}
224
234
$user\_meta\[\] = array( 'key' => $key, 'value' => isset( $item\[$key\] ) ? trim($item\[$key\]) : "" );
225
235
}
226
236
227
237
// the $user\_details array will now contain the necessary name-value pairs for the wp\_users table, and also any meta data in the 'usermeta' array
228
238
$parsed\_details = array();
…
…
230
240
$parsed\_details\['user\_details'\] = $user\_details;
231
241
$parsed\_details\['user\_meta'\] = $user\_meta;
232
233
242
return $parsed\_details;
234
243
} catch (Exception $e) {
…
…
253
262
254
263
if ($user\_id && $this->merge) {
255
$current\_user = get\_current\_user\_id();
264
$current\_user = $this->current\_user;
256
265
if ($current\_user == $user\_id) {
257
$usr\_msg = 'This user is currently logged in hence we cannot update.';
258
$this->hf\_log\_data\_change('user-csv-import', sprintf(\_\_('> “%s”' . $usr\_msg), $user\_id), true);
266
$this->hf\_log\_data\_change('user-csv-import', sprintf(\_\_('> “%s” This user is currently logged in hence we cannot update.'), $user\_id), true);
259
267
unset($post);
260
return new WP\_Error( 'parse-error',sprintf(\_\_('> “%s”' . $usr\_msg), $user\_id));
261
}
268
return new WP\_Error( 'parse-error',sprintf(\_\_('> “%s” This user is currently logged in hence we cannot update.'), $user\_id));
269
}
270
$user = get\_userdata($user\_id);
271
$roles = $user->roles;
272
$only\_update\_admin\_with\_admin = apply\_filters('wt\_ier\_update\_admin\_only\_by\_admin\_user', true);
273
if(in\_array('administrator', $roles) && $only\_update\_admin\_with\_admin ){
274
$current\_user = get\_userdata($current\_user);
275
$current\_roles = $current\_user->roles;
276
if(!in\_array('administrator', $current\_roles)){
277
return new WP\_Error( 'parse-error',sprintf(\_\_('> “%s” Only a user with an Administrator role has the capability to update a user with an Administrator role.'), $user\_id));
278
}
279
}
280
262
281
$user\_id = $this->hf\_update\_customer($user\_id, $post);
263
282
} else {
users-customers-import-export-for-wp-woocommerce/trunk/includes/class-wt-import-export-for-woo.php
r2927717
r2938705
81
81
$this->version = WT\_U\_IEW\_VERSION;
82
82
} else {
83
$this->version = '2.4.1';
83
$this->version = '2.4.2';
84
84
}
85
85
$this->plugin\_name = 'wt-import-export-for-woo-basic';
users-customers-import-export-for-wp-woocommerce/trunk/readme.txt
r2927717
r2938705
6
6
Tested up to: 6.2
7
7
Requires PHP: 5.6
8
Stable tag: 2.4.1
8
Stable tag: 2.4.2
9
9
License: GPLv3
10
10
License URI: http://www.gnu.org/licenses/gpl-3.0.html
…
…
26
26
🔸 Export specific users based on username/email - Suggests email addresses and names in export data filter fields while you type in.
27
27
🔸 Tested OK with WordPress 6.2
28
🔸 Tested OK with WooCommerce 7.8
28
🔸 Tested OK with WooCommerce 7.8.2
29
29
🔸 Tested OK with PHP 8.2
30
30
…
…
206
206
== Changelog ==
207
207
208
= 2.4.2 2023-07-14 =
209
* [Fix] - Admin user details are updated when importing as shop manager.
210
* [Add] - Export and Import the last activity data of users.
211
* [Compatibility] - Tested OK with WooCommerce 7.8.2
208
212
= 2.4.1 2023-06-19 =
209
213
* [Fix] – Importing custom CSV with a colon in the column heading.
…
…
452
456
== Upgrade Notice ==
453
457
454
= 2.4.1 =
455
* [Fix] – Importing custom CSV with a colon in the column heading.
456
* [Fix] – Auto delete history option does not delete import logs
457
* [Update] – Tested OK with WooCommerce 7.8
458
= 2.4.2 =
459
* [Fix] - Admin user details are updated when importing as shop manager.
460
* [Add] - Export and Import the last activity data of users.
461
* [Compatibility] - Tested OK with WooCommerce 7.8.2
users-customers-import-export-for-wp-woocommerce/trunk/users-customers-import-export-for-wp-woocommerce.php
r2927717
r2938705
6
6
Author: WebToffee
7
7
Author URI: https://www.webtoffee.com/product/wordpress-users-woocommerce-customers-import-export/
8
Version: 2.4.1
8
Version: 2.4.2
9
9
Text Domain: users-customers-import-export-for-wp-woocommerce
10
10
Domain Path: /languages
11
WC tested up to: 7.8
11
WC tested up to: 7.8.2
12
12
Requires at least: 3.0
13
13
Requires PHP: 5.6
…
…
49
49
* Rename this for your plugin and update it as you release new versions.
50
50
*/
51
define('WT_U_IEW_VERSION’, ‘2.4.1’);
51
define('WT_U_IEW_VERSION’, ‘2.4.2’);
52
52
53
53
/**