The WordPress plugin 'Import Export WordPress Users' is used on over 30,000 websites, but contains a vulnerability in older versions. The vulnerability, discovered on February 26, allowed anyone with access at subscriber level or higher to import new users via a CSV file, including users at administrative level. An update of the plugin closes the vulnerability – more details can be found in this WordFence article.
Advertising
