CVE-2025-12137 (GCVE-0-2025-12137)

Vulnerability from cvelistv5 – Published: 2025-11-01 06:40 – Updated: 2025-11-03 13:30
VLAI?
Title
Import WP – Export and Import CSV and XML files to WordPress <= 2.14.16 - Authenticated (Admin+) Arbitrary File Read
Summary
The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.14.16. This is due to the plugin's REST API endpoint accepting arbitrary absolute file paths without proper validation in the 'attach_file()' function when handling 'file_local' actions. This makes it possible for authenticated attackers, with administrator-level access and above, to read arbitrary files on the server's filesystem, including sensitive configuration files and system files via the 'local_url' parameter.
Severity ?
4.9 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-73 - External Control of File Name or Path
Assigner
References
Impacted products
Vendor Product Version
jcollings Import WP – Export and Import CSV and XML files to WordPress Affected: * , ≤ 2.14.16 (semver)
Create a notification for this product.
Credits
Jonas Benjamin Friedli
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12137",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-03T13:10:35.006687Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-03T13:30:23.253Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Import WP \u2013 Export and Import CSV and XML files to WordPress",
          "vendor": "jcollings",
          "versions": [
            {
              "lessThanOrEqual": "2.14.16",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jonas Benjamin Friedli"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Import WP \u2013 Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.14.16. This is due to the plugin\u0027s REST API endpoint accepting arbitrary absolute file paths without proper validation in the \u0027attach_file()\u0027 function when handling \u0027file_local\u0027 actions. This makes it possible for authenticated attackers, with administrator-level access and above, to read arbitrary files on the server\u0027s filesystem, including sensitive configuration files and system files via the \u0027local_url\u0027 parameter."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73 External Control of File Name or Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-01T06:40:40.047Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f10636ea-06aa-4186-a891-ed4bb0800c41?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Rest/RestManager.php#L1079"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Importer/ImporterManager.php#L435"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Filesystem/Filesystem.php#L212"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Filesystem/Filesystem.php#L56"
        },
        {
          "url": "https://owasp.org/www-community/attacks/Path_Traversal"
        },
        {
          "url": "https://cwe.mitre.org/data/definitions/36.html"
        },
        {
          "url": "https://github.com/importwp/importwp/commit/94cc524aa0c81be6463a9e8d154b00220e34709c"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3387749%40jc-importer\u0026new=3387749%40jc-importer\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-10-24T17:58:36.000+00:00",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-10-31T17:58:00.000+00:00",
          "value": "Disclosed"
        }
      ],
      "title": "Import WP \u2013 Export and Import CSV and XML files to WordPress \u003c= 2.14.16 - Authenticated (Admin+) Arbitrary File Read"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-12137",
    "datePublished": "2025-11-01T06:40:40.047Z",
    "dateReserved": "2025-10-23T21:15:40.493Z",
    "dateUpdated": "2025-11-03T13:30:23.253Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-12137\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2025-11-01T07:15:35.333\",\"lastModified\":\"2025-11-04T15:41:31.450\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Import WP \u2013 Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.14.16. This is due to the plugin\u0027s REST API endpoint accepting arbitrary absolute file paths without proper validation in the \u0027attach_file()\u0027 function when handling \u0027file_local\u0027 actions. This makes it possible for authenticated attackers, with administrator-level access and above, to read arbitrary files on the server\u0027s filesystem, including sensitive configuration files and system files via the \u0027local_url\u0027 parameter.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-73\"}]}],\"references\":[{\"url\":\"https://cwe.mitre.org/data/definitions/36.html\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://github.com/importwp/importwp/commit/94cc524aa0c81be6463a9e8d154b00220e34709c\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://owasp.org/www-community/attacks/Path_Traversal\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Filesystem/Filesystem.php#L212\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Filesystem/Filesystem.php#L56\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Importer/ImporterManager.php#L435\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Rest/RestManager.php#L1079\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3387749%40jc-importer\u0026new=3387749%40jc-importer\u0026sfp_email=\u0026sfph_mail=\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/f10636ea-06aa-4186-a891-ed4bb0800c41?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-12137\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-11-03T13:10:35.006687Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-11-03T13:10:35.764Z\"}}], \"cna\": {\"title\": \"Import WP \\u2013 Export and Import CSV and XML files to WordPress \u003c= 2.14.16 - Authenticated (Admin+) Arbitrary File Read\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Jonas Benjamin Friedli\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 4.9, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\"}}], \"affected\": [{\"vendor\": \"jcollings\", \"product\": \"Import WP \\u2013 Export and Import CSV and XML files to WordPress\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2.14.16\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-10-24T17:58:36.000+00:00\", \"value\": \"Vendor Notified\"}, {\"lang\": \"en\", \"time\": \"2025-10-31T17:58:00.000+00:00\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/f10636ea-06aa-4186-a891-ed4bb0800c41?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Rest/RestManager.php#L1079\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Importer/ImporterManager.php#L435\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Filesystem/Filesystem.php#L212\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Filesystem/Filesystem.php#L56\"}, {\"url\": \"https://owasp.org/www-community/attacks/Path_Traversal\"}, {\"url\": \"https://cwe.mitre.org/data/definitions/36.html\"}, {\"url\": \"https://github.com/importwp/importwp/commit/94cc524aa0c81be6463a9e8d154b00220e34709c\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3387749%40jc-importer\u0026new=3387749%40jc-importer\u0026sfp_email=\u0026sfph_mail=\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Import WP \\u2013 Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.14.16. This is due to the plugin\u0027s REST API endpoint accepting arbitrary absolute file paths without proper validation in the \u0027attach_file()\u0027 function when handling \u0027file_local\u0027 actions. This makes it possible for authenticated attackers, with administrator-level access and above, to read arbitrary files on the server\u0027s filesystem, including sensitive configuration files and system files via the \u0027local_url\u0027 parameter.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-73\", \"description\": \"CWE-73 External Control of File Name or Path\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2025-11-01T06:40:40.047Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-12137\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T13:30:23.253Z\", \"dateReserved\": \"2025-10-23T21:15:40.493Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2025-11-01T06:40:40.047Z\", \"assignerShortName\": \"Wordfence\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.