CVE-2024-6477: 
WordPress vulnerability analysis and mitigation

The UsersWP WordPress plugin before version 1.2.12 contains a sensitive information disclosure vulnerability (CVE-2024-6477). The vulnerability was discovered and publicly disclosed on July 13, 2024. The issue affects the plugin's export functionality, which generates files with predictable names, potentially exposing sensitive user information (WPScan).

The vulnerability stems from the plugin's predictable filename generation when an administrator exports user data. When an admin generates an export via wp-admin/admin.php?page=userswp&tab=import-export, the resulting CSV file is saved with a predictable naming pattern: uwp-users-export-YY-MM-DD-HH-MM.csv in the /wp-content/uploads/cache/ directory. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

If exploited, this vulnerability allows unauthenticated attackers to download exported files containing sensitive user information, including IP addresses, usernames, and email addresses (WPScan).

The vulnerability has been patched in version 1.2.12 of the UsersWP plugin. Site administrators are strongly advised to update to this version or later to protect against potential data exposure (WPScan).