WP-Safety
CVE-2026-32441

Comments Import & Export <= 2.4.9 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.5.0
Patched in
8d
Time to patch

Description

The Comments Import & Export plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.4.9
PublishedMarch 20, 2026
Last updatedMarch 27, 2026
Affected plugincomments-import-export-woocommerce

What Changed in the Fix

Changes introduced in v2.5.0

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.4.9
Browse source Download .zip
Patched v2.5.0
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-32441 ## 1. Vulnerability Summary The **Comments Import & Export** plugin (up to 2.4.9) contains a missing authorization vulnerability where the administrative interface and its associated data processing functions are accessible to users with only **Subscrib…

Show full research plan

Exploitation Research Plan - CVE-2026-32441

1. Vulnerability Summary

The Comments Import & Export plugin (up to 2.4.9) contains a missing authorization vulnerability where the administrative interface and its associated data processing functions are accessible to users with only Subscriber-level permissions.

The primary cause is the registration of the administrative menu in includes/class-hf_cmt_impexpcsv-admin-screen.php using the read capability (via a filter), and the subsequent reliance on this low-privileged capability in authorization checks for exporting and potentially importing comments.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php (for single exports) and /wp-admin/admin.php?page=hw_cmt_csv_im_ex (for general access and bulk exports).
  • Vulnerable Actions:
    • wp_ajax_comment_export_to_csv_single (AJAX action for single comment export).
    • admin_action_download_to_cmtiew_csv_hf (Admin action for bulk export).
    • Access to the plugin dashboard at page=hw_cmt_csv_im_ex.
  • Payload Parameters:
    • action: comment_export_to_csv_single
    • comment_ID: The ID of the comment to export.
    • _wpnonce: Nonce for the comments-import-export-woocommerce action.
  • Preconditions: Attacker must be authenticated with at least Subscriber-level access.

3. Code Flow

  1. Menu Registration: In includes/class-hf_cmt_impexpcsv-admin-screen.php, the admin_menu() function registers the menu page:
    $page = add_comments_page(..., apply_filters('product_reviews_csv_product_role', 'read'), 'hw_cmt_csv_im_ex', array($this, 'output'));
    The read capability is the default for Subscribers.
  2. AJAX Handler Registration: The constructor of HW_Cmt_ImpExpCsv_Admin_Screen registers:
    add_action('wp_ajax_comment_export_to_csv_single', array($this, 'process_ajax_export_single_comment'));
  3. Weak Permission Check: process_ajax_export_single_comment() performs the following check:
    if (... || !HW_Product_Comments_Import_Export_CSV::hf_user_permission()) {
    wp_die(esc_html__('You do not have sufficient permissions...', 'comments-import-export-woocommerce'));
}
    The hf_user_permission() function (inferred based on the admin_menu logic) likely evaluates current_user_can(apply_filters('product_reviews_csv_product_role', 'read')), which passes for Subscribers.
  4. Data Sink: The function calls HW_Cmt_ImpExpCsv_Exporter::do_export($comment_IDs), which generates and streams a CSV containing comment data (author, email, IP, content) to the requester.

4. Nonce Acquisition Strategy

The comment_export_to_csv_single action requires a nonce with the action string comments-import-export-woocommerce. This nonce is embedded in the "Comments" list table in the WordPress admin dashboard, which Subscribers can access.

  1. Identify Access: Subscribers can view comments they've made or comments on their own posts.
  2. Navigate: Use the execution agent to navigate to wp-admin/edit-comments.php.
  3. Extract Nonce: The plugin adds a "Download to CSV" column. The link looks like:
    admin-ajax.php?action=comment_export_to_csv_single&comment_ID=123&_wpnonce=abc1234567
  4. JS Extraction:
    // Use browser_eval to find the link and extract the nonce
Array.from(document.querySelectorAll('a')).find(a => a.href.includes('comment_export_to_csv_single')).href.split('_wpnonce=')[1]

5. Exploitation Strategy

Goal: Export sensitive comment data (including author IPs and emails) as a Subscriber.

  1. Preparation: Ensure at least one comment exists in the system (ID 1).
  2. Login: Authenticate as a Subscriber user.
  3. Bypass Access Check: Verify that wp-admin/admin.php?page=hw_cmt_csv_im_ex loads successfully (200 OK).
  4. Obtain Nonce:
    • Navigate to wp-admin/edit-comments.php.
    • Extract the nonce for comments-import-export-woocommerce.
  5. Trigger Export:
    • Use http_request to call the AJAX endpoint.
    GET /wp-admin/admin-ajax.php?action=comment_export_to_csv_single&comment_ID=1&_wpnonce=[NONCE] HTTP/1.1
Host: localhost:8080
Cookie: [SUBSCRIBER_COOKIES]
  6. Verify Payload: The response should have headers like Content-Type: text/csv and contain the comment data.

6. Test Data Setup

  1. Comments: Ensure there is a comment with ID 1 (usually default in WP).
  2. User: Create a user with the subscriber role.
  3. Post: Create a post and ensure it has a comment so the edit-comments.php screen populated for the Subscriber.

7. Expected Results

  • A Subscriber can successfully access the plugin's restricted menu page.
  • A Subscriber can successfully trigger a single comment export.
  • The exported CSV contains sensitive fields such as comment_author_email and comment_author_IP.

8. Verification Steps

  1. Check HTTP Status: Ensure the request to the AJAX endpoint returns 200 OK rather than 403 Forbidden.
  2. Inspect Content: Verify the response body starts with CSV headers like "comment_ID","comment_post_ID",....
  3. CLI Verification: Use wp comment list to verify the data received matches the database.

9. Alternative Approaches

If the single comment export nonce is hard to find, try the Bulk Export action:

  1. Navigate to wp-admin/edit-comments.php.
  2. Select a comment checkbox.
  3. The bulk action dropdown will contain "Download to CSV".
  4. Submitting this form triggers admin.php?action=download_to_cmtiew_csv_hf.
  5. Check if this action validates the manage_options capability (it likely only checks the weak read capability).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Comments Import & Export plugin for WordPress fails to properly restrict access to its administrative interface and export functions. Authenticated attackers with Subscriber-level permissions can access the plugin's dashboard and trigger data exports that expose sensitive information, such as comment author IP addresses and email addresses, due to the use of the 'read' capability for authorization.

Vulnerable Code

// includes/class-hf_cmt_impexpcsv-admin-screen.php lines 69-74
    public function admin_menu() {
       
            $page = add_comments_page(esc_html__('Comments Im-Ex', 'comments-import-export-woocommerce'), __('Comments Im-Ex', 'comments-import-export-woocommerce'), apply_filters('product_reviews_csv_product_role', 'read'), 'hw_cmt_csv_im_ex', array($this, 'output'));
       
    }

---

// includes/class-hf_cmt_impexpcsv-admin-screen.php lines 45-50
    public function process_ajax_export_single_comment() {
        
        $nonce = isset($_GET['_wpnonce']) ? sanitize_text_field(wp_unslash($_GET['_wpnonce'])) : '';
        if (!empty($nonce) && !wp_verify_nonce($nonce,'comments-import-export-woocommerce') || !HW_Product_Comments_Import_Export_CSV::hf_user_permission()) {
            wp_die(esc_html__('You do not have sufficient permissions to access this page.', 'comments-import-export-woocommerce'));
        }

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/comments-import-export-woocommerce/2.4.9/includes/class-hf_cmt_impexpcsv-admin-screen.php /home/deploy/wp-safety.org/data/plugin-versions/comments-import-export-woocommerce/2.5.0/includes/class-hf_cmt_impexpcsv-admin-screen.php
--- /home/deploy/wp-safety.org/data/plugin-versions/comments-import-export-woocommerce/2.4.9/includes/class-hf_cmt_impexpcsv-admin-screen.php	2026-02-17 11:58:52.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/comments-import-export-woocommerce/2.5.0/includes/class-hf_cmt_impexpcsv-admin-screen.php	2026-02-19 17:04:42.000000000 +0000
@@ -69,9 +69,14 @@
      * Admin Menu
      */
     public function admin_menu() {
-       
-            $page = add_comments_page(esc_html__('Comments Im-Ex', 'comments-import-export-woocommerce'), __('Comments Im-Ex', 'comments-import-export-woocommerce'), apply_filters('product_reviews_csv_product_role', 'read'), 'hw_cmt_csv_im_ex', array($this, 'output'));
-       
+        // Restrict menu visibility to roles that can edit content by default.
+        $page = add_comments_page(
+            esc_html__('Comments Im-Ex', 'comments-import-export-woocommerce'),
+            __('Comments Im-Ex', 'comments-import-export-woocommerce'),
+            apply_filters('product_reviews_csv_product_role', 'edit_posts'),
+            'hw_cmt_csv_im_ex',
+            array($this, 'output')
+        );
     }
 
     /**
@@ -122,6 +127,10 @@
 	 * Admin Screen output
 	 */
 	public function output() {
+        // Prevent direct access to the admin screen by low-privileged users.
+        if (!HW_Product_Comments_Import_Export_CSV::hf_user_permission()) {
+            wp_die(esc_html__('You do not have sufficient permissions to access this page.', 'comments-import-export-woocommerce'));
+        }
 
 		$tab = 'import';
         // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Nonce verification not needed.
@@ -136,6 +145,13 @@
 			}
 		}
 
+        $can_view_settings = current_user_can('manage_options');
+
+        // Settings include credentials; require admin capability.
+        if ('settings' === $tab && !$can_view_settings) {
+            wp_die(esc_html__('You do not have sufficient permissions to access this page.', 'comments-import-export-woocommerce'));
+        }
+
 		include( 'views/html-hf-admin-screen.php' );
 	}
 
@@ -217,6 +233,9 @@
      * Admin Page for settings
      */
     public function admin_settings_page() {
+        if (!current_user_can('manage_options')) {
+            wp_die(esc_html__('You do not have sufficient permissions to access this page.', 'comments-import-export-woocommerce'));
+        }
         include( 'views/settings/html-hf-settings-products.php' );
     }

Exploit Outline

The attacker first authenticates as a user with Subscriber-level privileges. Since the plugin registers its admin menu with the 'read' capability, the attacker can navigate directly to the plugin's dashboard at /wp-admin/admin.php?page=hw_cmt_csv_im_ex. To export data, the attacker must obtain a valid security nonce for the 'comments-import-export-woocommerce' action, which is typically exposed in the WordPress admin's comment list page (/wp-admin/edit-comments.php) where the plugin injects 'Download to CSV' links. With this nonce and a target comment ID, the attacker sends a GET request to /wp-admin/admin-ajax.php?action=comment_export_to_csv_single&comment_ID=[ID]&_wpnonce=[NONCE]. The server processes this request because the authorization check erroneously permits any user with 'read' permissions, returning a CSV file containing sensitive metadata for the specified comment.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/14c5fd0c-0872-4b05-b28b-11353e9276d0?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database