CVE-2025-12894 - Vulnerability Details

- Import WP – Export and Import CSV and XML files to WordPress <= 2.14.17 - Unauthenticated Information Exposure

Description

The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.14.17 via the import/export functionality and a lack of .htaccess protection. This makes it possible for unauthenticated attackers to extract sensitive data from exports stored in /exportwp and import data stored in /importwp.

Published: 2025-11-21

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to sensitive information exposure in all versions up to and including 2.14.17. The flaw is caused by the import/export functionality and a lack of .htaccess protection, enabling unauthenticated attackers to read sensitive data from exports stored in /exportwp and import data in /importwp. This weakness corresponds to CWE-552, which denotes sensitive data exposure.

Affected Systems

The affected product is the Import WP – Export and Import CSV and XML files to WordPress plugin, developed by jcollings. All releases of the plugin through version 2.14.17 are impacted. Users of newer releases are presumed unaffected unless the vendor acknowledges otherwise.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate threat, while the EPSS score of less than 1% suggests low likelihood of immediate exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker can likely trigger the exposure by calling the import or export endpoints or accessing the publicly exposed directories, as the plugin does not enforce authentication or directory protection. Without .htaccess protection, any visitor can read files under /exportwp and /importwp, leading to the disclosure of potentially confidential WordPress content.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

jcollings

Import WP – Export and Import CSV and XML files to WordPress

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.14.17

No data.

Vendor	Product	Confidence	Versions
Jcollings	Import Wp	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to a release newer than 2.14.17 of the Import WP plugin, if available from the vendor.
Add or enforce .htaccess rules to protect the /exportwp and /importwp directories, or relocate them outside the web root.
If the plugin is not required, remove or disable it to eliminate the exposure risk.

Generated by OpenCVE AI on April 22, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00068.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394624%40jc-importer&new=3394624%40jc-importer&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/28ca9590-dc0b-40c9-9de6-1480094ea8be?source=cve

History

Mon, 24 Nov 2025 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Jcollings Jcollings import Wp Wordpress Wordpress wordpress
Vendors & Products		Jcollings Jcollings import Wp Wordpress Wordpress wordpress

Fri, 21 Nov 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 21 Nov 2025 07:45:00 +0000

Type	Values Removed	Values Added
Description		The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.14.17 via the import/export functionality and a lack of .htaccess protection. This makes it possible for unauthenticated attackers to extract sensitive data from exports stored in /exportwp and import data stored in /importwp.
Title		Import WP – Export and Import CSV and XML files to WordPress <= 2.14.17 - Unauthenticated Information Exposure
Weaknesses		CWE-552
References		https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394624%40jc-importer&new=3394624%40jc-importer&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/28ca9590-dc0b-40c9-9de6-1480094ea8be?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Jcollings Import Wp

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-21T07:31:49.157Z

Updated: 2026-04-08T16:43:11.970Z

Reserved: 2025-11-07T18:29:34.958Z

Link: CVE-2025-12894

Vulnrichment

Updated: 2025-11-21T14:44:15.289Z

NVD

Status : Deferred

Published: 2025-11-21T08:15:54.403

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12894

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T21:15:27Z

Weaknesses

CWE-552

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object