CVE-2025-1973: 
WordPress vulnerability analysis and mitigation

The Export and Import Users and Customers plugin for WordPress is vulnerable to Path Traversal in versions up to and including 2.6.2. The vulnerability exists in the download_file() function, which allows authenticated attackers with Administrator-level access or above to read arbitrary log files on the server that may contain sensitive information (NVD).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - 'Path Traversal'). It has a CVSS v3.1 Base Score of 4.9 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The issue was discovered in the download_file() function within the plugin's history module (WordPress Plugin).

The vulnerability allows authenticated attackers with administrator privileges to read arbitrary log files on the server. This could lead to exposure of sensitive information stored in log files, potentially compromising system security (NVD).

The vulnerability has been patched in version 2.6.3 of the plugin. Users are strongly advised to update to this version immediately. The update includes fixes for multiple security issues including the Path Traversal vulnerability (WordPress Plugin).