Cyber Posture

CVE-2024-13562

High

Published: 25 January 2025

Published
25 January 2025
Modified
04 February 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0059 69.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13562 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Importwp Import Wp. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 30.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and CM-12 (Information Location).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-22 Publicly Accessible Content good match
prevent

Directly restricts unauthorized access to sensitive data stored in the publicly accessible /wp-content/uploads/ directory.

SC-28 Protection of Information at Rest good match
prevent

Protects confidentiality of sensitive user data and files at rest in the uploads directory using access controls or encryption.

CM-12 Information Location good match
prevent

Ensures sensitive information is not located in publicly accessible directories like /wp-content/uploads/ by applying location-based controls.

NVD Description

The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.14.5 via the uploads directory. This makes it possible for unauthenticated…

more

attackers to extract sensitive data stored insecurely in the /wp-content/uploads/ directory which can contain information like imported or local user data and files.

Deeper analysisAI

CVE-2024-13562 is a sensitive information exposure vulnerability (CWE-200) in the Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress, affecting all versions up to and including 2.14.5. The flaw occurs via the uploads directory, where sensitive data is stored insecurely in the /wp-content/uploads/ directory, which can contain information such as imported or local user data and files. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. Exploitation enables them to extract the sensitive data stored in the uploads directory, resulting in high-impact confidentiality loss but no impact on integrity or availability.

Advisories point to mitigation through the patch committed in WordPress plugins trac changeset 3226495. Further details on the vulnerability are available in the Wordfence threat intelligence report.

Details

CWE(s)
CWE-200NVD-CWE-noinfo

Affected Products

importwp
import wp
≤ 2.14.6

CVEs Like This One

CVE-2026-24870Shared CWE-200
CVE-2026-4020Shared CWE-200
CVE-2025-21620Shared CWE-200
CVE-2025-62188Shared CWE-200
CVE-2024-57716Shared CWE-200
CVE-2026-27161Shared CWE-200
CVE-2026-21260Shared CWE-200
CVE-2025-24102Shared CWE-200
CVE-2024-12142Shared CWE-200
CVE-2025-59469Shared CWE-200

References