CVE-2024-7620: 
WordPress vulnerability analysis and mitigation

The Customizer Export/Import plugin for WordPress contains a vulnerability (CVE-2024-7620) that affects versions up to and including 0.9.7. The vulnerability is related to arbitrary file uploads due to missing file type validation in the '_import' function. This security issue was discovered and reported by Wordfence (Wordfence Report).

The vulnerability is classified as an Unrestricted Upload of File with Dangerous Type (CWE-434). It has been assigned a CVSS v3.1 score of 6.6 (Medium) with the following vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H. The issue stems from inadequate file type validation in the '_import' function, which could potentially lead to arbitrary file uploads (NVD).

The vulnerability allows authenticated attackers with Administrator-level access or higher to upload arbitrary files to the affected site's server. This could potentially lead to remote code execution. However, the impact is somewhat limited due to the requirement of high-level privileges and the presence of a race condition (NVD).

Users should update their Customizer Export/Import plugin to a version newer than 0.9.7 to address this vulnerability. The fix has been implemented in the WordPress plugin repository (WordPress Plugin).