Description
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.
Published: 2025-03-26
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary deletion of log files by administrators
Action: Patch
AI Analysis

Impact

A directory traversal flaw in the admin_log_page() function of the Product Import Export for WooCommerce plugin allows an attacker who holds Administrator privileges in WordPress to delete arbitrary log files on the server. The vulnerability does not grant code execution or data exfiltration, but it removes audit trail information, potentially reducing the ability to investigate incidents or debug the system. Because the affected function operates on paths supplied by the user, the attacker can target any file that the web server process can write to, which may include security or access logs.

Affected Systems

The flaw affects the webtoffee Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress, any version 2.5.0 or earlier. The plugin is installed on WordPress sites and is identified as webtoffee:product_import_export_for_woocommerce in the CPE registry.

Risk and Exploitability

With a CVSS score of 2.7 the vulnerability is considered a low severity issue, and its EPSS score is below 1%, indicating a very low likelihood of exploitation. The exploit requires an authenticated user with Administrator level or higher privileges; thus, a local attacker who can log into the WordPress admin interface is sufficient to trigger the deletion. The vulnerability is not listed in the CISA KEV catalog, so no widely known exploits are published at the time of this analysis.

Generated by OpenCVE AI on April 20, 2026 at 23:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Product Import Export for WooCommerce plugin to the latest version, which removes the directory traversal flaw.
  • If an upgrade cannot be performed immediately, disable or remove the admin_log_page feature that permits file deletion or modify the plugin code to enforce strict path validation.
  • Adjust file system permissions on log directories so that non-essential accounts cannot delete logs, ensuring that only authorized services retain write access.

Generated by OpenCVE AI on April 20, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8125 The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.
History

Wed, 09 Jul 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Webtoffee
Webtoffee product Import Export For Woocommerce
CPEs cpe:2.3:a:webtoffee:product_import_export_for_woocommerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Webtoffee
Webtoffee product Import Export For Woocommerce

Wed, 26 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 12:15:00 +0000

Type Values Removed Values Added
Description The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.
Title Product Import Export for WooCommerce <= 2.5.0 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Webtoffee Product Import Export For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:17.118Z

Reserved: 2025-03-03T22:18:14.606Z

Link: CVE-2025-1911

cve-icon Vulnrichment

Updated: 2025-03-26T13:14:12.263Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-26T12:15:15.197

Modified: 2025-07-09T16:55:18.113

Link: CVE-2025-1911

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:30:16Z

Weaknesses