CVE-2025-24689: 
WordPress vulnerability analysis and mitigation

The Import and export users and customers WordPress plugin is affected by a Sensitive Information Exposure vulnerability (CVE-2025-24689) discovered in versions up to and including 1.27.12. The vulnerability was discovered by Caesar Evan Santoso and publicly disclosed on January 27, 2025. This security issue allows unauthenticated attackers to access sensitive user or configuration data (WPScan).

The vulnerability has been assigned a CVSS score of 5.3-5.9 (medium severity) and is classified under CWE-200. The security flaw is related to the exposure of sensitive information in externally-accessible files or directories. The vulnerability specifically affects the plugin's data handling mechanisms, potentially exposing sensitive user and configuration information (WPScan, Patchstack).

The vulnerability could allow malicious actors to view sensitive information that is normally not accessible to regular users. This exposed data could potentially be used to exploit other weaknesses in the system (Patchstack).

The vulnerability has been fixed in version 1.27.13 of the Import and export users and customers plugin. Users are advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).