Description
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.0 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information.
Published: 2025-03-26
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Update Plugin
AI Analysis

Impact

The product Import Export for WooCommerce for WordPress has a directory traversal flaw in the download_file() function that affects all releases up to and including 2.5.0. This weakness (CWE-22) allows attackers who are already authenticated as administrators or higher to read arbitrary server files, such as log files, which may contain sensitive data.

Affected Systems

WordPress sites that use the Product Import Export for WooCommerce – Import Export Product CSV Suite plugin with a version 2.5.0 or earlier are vulnerable. Administrators can trigger the flaw through the download_file endpoint to retrieve any accessible file.

Risk and Exploitability

The CVSS score of 4.9 rates the issue as moderate severity. The EPSS score is less than 1 %, indicating a low probability of active exploitation, and the flaw is not listed in the CISA KEV catalog. Exploitation requires valid administrative credentials; once logged in, an attacker can use the vulnerable function to request arbitrary file paths, bypassing normal access controls. No publicly available exploit code has been reported in the official data.

Generated by OpenCVE AI on April 21, 2026 at 21:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 2.5.0 that implements proper path validation to eliminate directory traversal.
  • Ensure server file permissions and WordPress user roles limit access to sensitive logs; consider restricting the log directory to non‑public locations.
  • Audit the server after upgrading, verifying that the download_file endpoint no longer accepts arbitrary paths and that no residual copies of older plugin files remain.

Generated by OpenCVE AI on April 21, 2026 at 21:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8120 The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.0 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information.
History

Wed, 09 Jul 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Webtoffee
Webtoffee product Import Export For Woocommerce
CPEs cpe:2.3:a:webtoffee:product_import_export_for_woocommerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Webtoffee
Webtoffee product Import Export For Woocommerce

Wed, 26 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.0 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information.
Title Product Import Export for WooCommerce <= 2.5.0 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Read via download_file Function
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Webtoffee Product Import Export For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:37.824Z

Reserved: 2025-02-27T23:32:47.829Z

Link: CVE-2025-1769

cve-icon Vulnrichment

Updated: 2025-03-26T13:34:22.025Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-26T12:15:15.040

Modified: 2025-07-09T16:57:42.397

Link: CVE-2025-1769

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:45:25Z

Weaknesses