CVE-2025-14627

Name of the Vulnerable Software and Affected Versions WP Import – Ultimate CSV XML Importer for WordPress versions prior to 7.36

Description The plugin is susceptible to Server-Side Request Forgery (SSRF). This occurs because the plugin does not properly validate URLs after following Bitly shortlink redirects within the upload function() method. Specifically, the unshorten bitly url() function follows redirects without re-validating the final destination URL, allowing attackers to potentially make the server perform HTTP requests to arbitrary internal endpoints. This could include access to localhost, private IP ranges, and cloud metadata services. An authenticated attacker with Contributor-level access or higher can exploit this issue.

Recommendations Update to version 7.36 or later.