One of the changelog entries for the latest version of Import users from CSV with meta is “XSS problem fixed when displaying data imported thanks to lckjack who reports it”, while looking to see if there was a vulnerability related to that we should be notifying the customers of our service about if they use that plugin, we found a vulnerability we could confirm still exists. It turns out the plugin’s functionality for deleting files uploaded through it isn’t properly secured, so an attacker could cause logged in Administrators to delete any WordPress media files without intending it.

The plugin registers the function that handles that to be accessible to anyone logged in to WordPress through its AJAX functionality: [Read more]