Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin's admin interface.
Published: 2025-11-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply Patch
AI Analysis

Impact

The WP Ultimate CSV Importer plugin allows an authenticated user with author-level permissions or higher to access the showsetting() endpoint without any authorization check, enabling the extraction of sensitive configuration data such as OpenAI API keys. This results in a direct loss of confidentiality for the site’s sensitive credentials.

Affected Systems

Vendors: smackcoders. Product: WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress. Versions affected are all releases through 7.33 inclusive; any plugin version 7.33 or earlier is vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity; however, the EPSS score of less than 1% shows the likelihood of real‑world exploitation is currently very low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an authenticated author or higher user accessing the showsetting() function via the plugin’s admin interface; the absence of an authorization check permits the attacker to retrieve sensitive configuration information.

Generated by OpenCVE AI on April 22, 2026 at 16:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Ultimate CSV Importer plugin to version 7.34 or later, where the missing authorization check has been fixed.
  • If an immediate upgrade is not possible, remove the plugin or disable its settings page for users with author-level or lower privileges to block unauthenticated access to sensitive data.
  • Consider disabling author-level access to the WordPress admin interface or restricting it to trusted users until a patch can be applied.

Generated by OpenCVE AI on April 22, 2026 at 16:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 12 Nov 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Smackcoders
Smackcoders ultimate Csv Importer
Smackcoders wp Ultimate Csv Importer
Wordpress
Wordpress wordpress
Vendors & Products Smackcoders
Smackcoders ultimate Csv Importer
Smackcoders wp Ultimate Csv Importer
Wordpress
Wordpress wordpress

Wed, 12 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 08:45:00 +0000

Type Values Removed Values Added
Description The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin's admin interface.
Title WP Import – Ultimate CSV XML Importer for WordPress <= 7.33 - Missing Authorization to Authenticated (Author+) Sensitive Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Smackcoders Ultimate Csv Importer Wp Ultimate Csv Importer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:24.421Z

Reserved: 2025-11-04T22:08:04.891Z

Link: CVE-2025-12732

cve-icon Vulnrichment

Updated: 2025-11-12T14:40:50.576Z

cve-icon NVD

Status : Deferred

Published: 2025-11-12T09:15:40.573

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12732

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:45:21Z

Weaknesses