Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data.
Published: 2026-01-01
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server-Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the WP Import – Ultimate CSV XML Importer plugin, where authenticated users with Contributor-level access can cause the server to resolve a Bitly shortlink and subsequently follow redirects to an unvalidated URL. The plugin performs initial validation on the supplied URL, but after detecting a Bitly link it calls a function that automatically follows redirects without re‑validating the final destination. This allows the attacker to force the server to issue outbound HTTP requests to arbitrary internal addresses, including localhost, private IP ranges, or cloud metadata services, potentially leaking sensitive data and exposing internal resources.

Affected Systems

This flaw affects any WordPress site running the WP Ultimate CSV Importer plugin version 7.35 or earlier, which takes its origin from the plugin maintainer smackcoders. Sites that have enabled the import feature for users with Contributor or higher roles are vulnerable. No specific operating system or server configurations are listed, but the issue applies wherever the plugin is installed and accessible to those roles.

Risk and Exploitability

The CVSS score of 6.4 classifies this as a medium risk vulnerability. The EPSS score of less than 1% indicates a very low probability of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack requires authenticated access with Contributor or higher privilege and the ability to trigger the import function. If exploited, it can lead to disclosure of internal information and potential lateral movement within the network, but it does not grant arbitrary code execution on the server.

Generated by OpenCVE AI on April 21, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Ultimate CSV Importer plugin to version 7.36 or later, which contains the fixed validation logic.
  • If an update is delayed, block outbound HTTP requests to Bitly domains and internal IP ranges through network controls or firewall rules to prevent the redirect resolution.
  • Consider disabling the URL upload feature for non-administrative users until the patch is applied to reduce the attack surface.
  • Monitor server logs for unexpected outbound HTTP requests originating from the plugin to detect attempted exploitation.

Generated by OpenCVE AI on April 21, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 06 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Smackcoders
Smackcoders an Ultimate Wordpress Importer Cum Migration As Csv \& Xml
Smackcoders ultimate Csv Importer
Smackcoders wp Ultimate Csv Importer
Wordpress
Wordpress wordpress
Vendors & Products Smackcoders
Smackcoders an Ultimate Wordpress Importer Cum Migration As Csv \& Xml
Smackcoders ultimate Csv Importer
Smackcoders wp Ultimate Csv Importer
Wordpress
Wordpress wordpress

Thu, 01 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Description The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data.
Title WP Import – Ultimate CSV XML Importer for WordPress <= 7.35 - Authenticated (Contributor+) Server-Side Request Forgery via Bitly Shortlink Bypass
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Smackcoders An Ultimate Wordpress Importer Cum Migration As Csv \& Xml Ultimate Csv Importer Wp Ultimate Csv Importer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:57.772Z

Reserved: 2025-12-12T21:29:55.600Z

Link: CVE-2025-14627

cve-icon Vulnrichment

Updated: 2026-01-05T20:08:52.507Z

cve-icon NVD

Status : Deferred

Published: 2026-01-01T17:15:42.597

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14627

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:00:12Z

Weaknesses