A high-severity vulnerability has been identified in the "WP Import – Ultimate CSV XML Importer" WordPress plugin. This flaw allows any authenticated user, regardless of their permission level, to access sensitive data such as stored FTP credentials. Successful exploitation could lead to unauthorized access to the website's server, enabling an attacker to steal data, install malware, or deface the site.

The vulnerability is an Improper Access Control issue due to a missing capability check. The plugin exposes an AJAX function called 'get_ftp_details' which is intended for administrative use. However, the function fails to verify that the user making the request has the necessary administrative privileges. An attacker with a low-privileged account, such as a subscriber, can send a direct request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) specifying this action, and the server will respond with the stored FTP details without authorization.

This is a High severity vulnerability with a CVSS score of 7.7. The primary business impact is the potential for a full server compromise. If an attacker successfully exploits this vulnerability to retrieve FTP credentials, they could gain direct access to the web server's file system. This access could be used to exfiltrate sensitive customer or business data, inject malicious code or malware into the website, deface the website causing reputational damage, or use the server to launch further attacks. The exposure of these credentials bypasses other security layers and poses a significant risk to data confidentiality, integrity, and availability.

Immediate Action:

• Update: Immediately update the "WP Import – Ultimate CSV XML Importer for WordPress" plugin to the latest patched version (any version greater than 7.0). This is the primary and most effective remediation.
• Review and Remove: If the plugin is not essential for business operations, the most secure course of action is to deactivate and uninstall it to completely eliminate the attack surface.
• Security Audit: Review all stored credentials within WordPress and rotate any keys or passwords that may have been exposed, including the FTP credentials used by this plugin.

Proactive Monitoring:

• Log Analysis: Monitor web server access logs for POST requests to /wp-admin/admin-ajax.php containing the parameter action=get_ftp_details. Scrutinize any such requests originating from non-administrative users or untrusted IP addresses.
• File Integrity Monitoring (FIM): Implement or verify FIM on the web server to generate alerts for any unauthorized changes to website files, which could be an indicator of compromise via stolen FTP credentials.
• Network Monitoring: Monitor for unusual outbound traffic from the web server, which could indicate data exfiltration or communication with a command-and-control server.

Compensating Controls:

• Web Application Firewall (WAF): If immediate patching is not feasible, implement a WAF rule to block any requests to /wp-admin/admin-ajax.php that contain the string action=get_ftp_details unless the request originates from a trusted administrator's IP address.
• Restrict Admin Access: Limit access to the WordPress administrative dashboard (/wp-admin/) to specific, whitelisted IP addresses.
• Principle of Least Privilege: Ensure the FTP account used by the plugin has the minimum necessary permissions and is chrooted/jailed to the specific directories it needs to access, limiting the scope of a potential compromise.

Public Exploit Available: false

Given the High severity (CVSS 7.7) and the risk of server compromise from exposed credentials, immediate remediation is strongly recommended. All organizations using the affected "WP Import – Ultimate CSV XML Importer for WordPress" plugin must prioritize applying the vendor-supplied update. While this CVE is not currently on the CISA KEV list, its direct impact and ease of exploitation make it a significant threat. If the plugin's functionality is not critical, the most prudent action is to remove it entirely to eliminate this and future risks associated with the software.