Description
Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the delete_export_file AJAX action. Attackers can craft POST requests with directory traversal sequences in the filename parameter to delete sensitive files like wp-config.php outside the intended export directory.
Published: 2026-05-17
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a path traversal flaw that permits any registered user to delete arbitrary files by submitting unescaped filenames through the delete_export_file AJAX action. By crafting POST requests that include directory traversal sequences, an attacker can target sensitive files such as wp-config.php, resulting in loss of essential configuration data and a potential compromise of site integrity and confidentiality. This issue is classified as CWE-22.

Affected Systems

The problem affects the WooCommerce CSV-Importer plugin for WooCommerce, specifically version 3.3.6. No version information is provided for later releases; affected versions are those equal to or older than 3.3.6.

Risk and Exploitability

With a CVSS score of 8.7, the vulnerability is considered high severity; its EPSS score is not available and it is not listed in the CISA KEV catalog. The attack vector is remote but requires only a legitimate registered user account, making exploitation straightforward for anyone who can access the WordPress site. Successful exploitation results in deletion of critical files, which can lead to site downtime, data loss, and increased administrative effort to recover configuration files.

Generated by OpenCVE AI on May 17, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WooCommerce CSV-Importer plugin to the latest available release.
  • Modify the plugin or apply a role‑based restriction so that only administrator accounts can invoke the delete_export_file AJAX action.
  • As a temporary measure, block or disable the delete_export_file endpoint for non‑admin users using a security plugin or an .htaccess rule.

Generated by OpenCVE AI on May 17, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce-csvimport
Woocommerce-csvimport woocommerce Csv-importer
Vendors & Products Woocommerce-csvimport
Woocommerce-csvimport woocommerce Csv-importer

Sun, 17 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description Woocommerce CSV Importer 3.3.6 contains a path traversal vulnerability that allows any registered user to delete arbitrary files by submitting unescaped filenames through the delete_export_file AJAX action. Attackers can craft POST requests with directory traversal sequences in the filename parameter to delete sensitive files like wp-config.php outside the intended export directory.
Title Woocommerce CSV Importer 3.3.6 Path Traversal File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Woocommerce-csvimport Woocommerce Csv-importer
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-17T12:11:31.525Z

Reserved: 2026-05-17T11:39:42.277Z

Link: CVE-2018-25325

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T13:16:43.923

Modified: 2026-05-17T13:16:43.923

Link: CVE-2018-25325

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T17:00:05Z

Weaknesses