CVE-2025-1970: 
WordPress vulnerability analysis and mitigation

The Export and Import Users and Customers plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to and including 2.6.2. The vulnerability was discovered on March 21, 2025, and was assigned CVE-2025-1970. The issue exists in the validate_file() function, which allows authenticated attackers with Administrator-level access or above to make web requests to arbitrary locations originating from the web application (NVD).

The vulnerability is present in the validate_file() function of the plugin. It has been assigned a CVSS v3.1 Base Score of 7.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N. The issue has been classified as CWE-918 (Server-Side Request Forgery) (NVD, WordPress Plugin).

The vulnerability allows authenticated attackers with administrator privileges to make web requests to arbitrary locations originating from the web application. This can be exploited to query and modify information from internal services, potentially exposing sensitive data or internal systems (NVD).

The vulnerability has been patched in version 2.6.3 of the plugin. Users are strongly advised to update to this version immediately. The update includes fixes for Server-Side Request Forgery, Arbitrary File Deletion, PHP Object Injection, and Directory Traversal vulnerabilities (WordPress Plugin).