PT-2025-44717 · WordPress · Import Wp – Export/Import Csv/Xml Files To Wordpress
Published
2025-11-01
·
Updated
2025-11-01
·
CVE-2025-12137
CVSS v3.1
4.9
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Import WP – Export and Import CSV and XML files to WordPress plugin versions prior to 2.14.17
Description
The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is susceptible to Arbitrary File Read due to insufficient validation of file paths. The plugin’s REST API endpoint accepts arbitrary absolute file paths without proper validation within the
attach file() function when processing 'file local' actions. This allows attackers with administrator-level access or higher to read arbitrary files on the server’s filesystem, including sensitive configuration and system files, by manipulating the local url parameter.Recommendations
Update the Import WP – Export and Import CSV and XML files to WordPress plugin to version 2.14.17 or later.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Import Wp – Export/Import Csv/Xml Files To Wordpress