CVE-2025-12137 - Vulnerability Details

- Import WP – Export and Import CSV and XML files to WordPress <= 2.14.16 - Authenticated (Admin+) Arbitrary File Read

Description

The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.14.16. This is due to the plugin's REST API endpoint accepting arbitrary absolute file paths without proper validation in the 'attach_file()' function when handling 'file_local' actions. This makes it possible for authenticated attackers, with administrator-level access and above, to read arbitrary files on the server's filesystem, including sensitive configuration files and system files via the 'local_url' parameter.

Published: 2025-11-01

Score: 4.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the Import WP plugin allows an authenticated administrator to request arbitrary files on the server via the REST API endpoint. The plugin accepts absolute file paths without validation, meaning the local_url parameter can be set to any file system location. The attacker can read sensitive configuration files, credentials, or system files, compromising confidentiality.

Affected Systems

The issue affects all installations of the Import WP – Export and Import CSV and XML files to WordPress plugin with versions 2.14.16 or earlier when running on WordPress sites. Any site using the vulnerable plugin and where an attacker can gain administrator privileges is at risk. The plugin is maintained by developer jcollings.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity, with the EPSS score less than 1% suggesting that exploit attempts are currently rare. The vulnerability is listed as not in the CISA KEV catalog. An attacker must be authenticated with administrator or higher rights to trigger the REST API, limiting the attack surface to privileged accounts. However, once the condition is met, the attacker can read arbitrary files, which could lead to credential theft or other sensitive data exposure.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

jcollings

Import WP – Export and Import CSV and XML files to WordPress

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.14.16

No data.

Vendor	Product	Confidence	Versions
Jcollings	Import Wp	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Import WP plugin to version 2.14.17 or later, which removes the vulnerability by validating file paths.
If an update is not immediately possible, restrict or disable the REST API endpoint that handles the 'file_local' action for administrator accounts.
Ensure that critical system files and configuration directories have strict file permissions and are not readable by the web server process or WordPress user.

Generated by OpenCVE AI on April 21, 2026 at 18:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00075.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://cwe.mitre.org/data/definitions/36.html
https://github.com/importwp/importwp/commit/94cc524aa0c81be6463a9e8d154b00220e34709c
https://owasp.org/www-community/attacks/Path_Traversal
https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Filesystem/Filesystem.php#L212
https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Filesystem/Filesystem.php#L56
https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Importer/ImporterManager.php#L435
https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Rest/RestManager.php#L1079
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3387749%40jc-importer&new=3387749%40jc-importer&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/f10636ea-06aa-4186-a891-ed4bb0800c41?source=cve

History

Mon, 03 Nov 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 03 Nov 2025 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jcollings Jcollings import Wp Wordpress Wordpress wordpress
Vendors & Products		Jcollings Jcollings import Wp Wordpress Wordpress wordpress

Sat, 01 Nov 2025 07:00:00 +0000

Type	Values Removed	Values Added
Description		The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.14.16. This is due to the plugin's REST API endpoint accepting arbitrary absolute file paths without proper validation in the 'attach_file()' function when handling 'file_local' actions. This makes it possible for authenticated attackers, with administrator-level access and above, to read arbitrary files on the server's filesystem, including sensitive configuration files and system files via the 'local_url' parameter.
Title		Import WP – Export and Import CSV and XML files to WordPress <= 2.14.16 - Authenticated (Admin+) Arbitrary File Read
Weaknesses		CWE-73
References		https://cwe.mitre.org/data/definitions/36.html https://github.com/importwp/importwp/commit/94cc524aa0c81be6463a9e8d154b00220e34709c https://owasp.org/www-community/attacks/Path_Traversal https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Filesystem/Filesystem.php#L212 https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Filesystem/Filesystem.php#L56 https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Importer/ImporterManager.php#L435 https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Rest/RestManager.php#L1079 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3387749%40jc-importer&new=3387749%40jc-importer&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/f10636ea-06aa-4186-a891-ed4bb0800c41?source=cve
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Jcollings Import Wp

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-01T06:40:40.047Z

Updated: 2026-04-08T17:32:21.492Z

Reserved: 2025-10-23T21:15:40.493Z

Link: CVE-2025-12137

Vulnrichment

Updated: 2025-11-03T13:10:35.764Z

NVD

Status : Deferred

Published: 2025-11-01T07:15:35.333

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12137

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T18:45:06Z

Weaknesses

CWE-73

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object