PT-2025-46579 · WordPress · Wp Import – Ultimate Csv Xml Importer For Wordpress
Published
2025-11-12
·
Updated
2025-11-12
·
CVE-2025-12732
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
WP Import – Ultimate CSV XML Importer for WordPress plugin versions prior to 7.34
Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin contains a flaw that allows unauthorized access to sensitive information. This is due to a missing authorization check within the
showsetting() function. Attackers with Author-level access or higher can extract sensitive information, including OpenAI API keys configured through the plugin’s admin interface.Recommendations
Update to version 7.34 or later. As a temporary workaround, consider restricting access for users with Author-level access or higher to minimize the risk of exploitation.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Import – Ultimate Csv Xml Importer For Wordpress