Description
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the validate_file() Function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2025-03-26
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

The Product Import Export for WooCommerce plugin contains a Server‑Side Request Forgery flaw in the validate_file() function. This flaw allows an authenticated user with Administrator‑level access to instruct the web application to make HTTP requests to arbitrary URLs from the server side. The attacker could thus query internal services, read sensitive data, or modify information stored in those services, compromising the confidentiality and integrity of those systems.

Affected Systems

All versions of the Product Import Export for WooCommerce plugin released by webtoffee up to and including version 2.5.0 are affected. The vulnerability is present on WordPress installations that have this plugin active and administrators or higher‑privilege users enabled.

Risk and Exploitability

The CVSS score of 7.6 indicates a medium‑to‑high severity level. The EPSS score is less than 1%, suggesting that the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. However, the requirement for administrator privileges means that if privileged accounts exist on the target, an attacker could abuse the SSRF vector to compromise internal resources. The main risk lies in the potential for internal data exposure and unauthorized manipulation of internal services.

Generated by OpenCVE AI on April 21, 2026 at 21:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WooCommerce import/export plugin to a version newer than 2.5.0, which removes the vulnerable validate_file function.
  • If an immediate upgrade is not possible, restrict Administrator access to the import/export feature by disabling the functionality or configuring role capabilities so that only trusted accounts can use it.
  • Apply network segmentation or firewall rules to block outbound connections from the WordPress server to internal networks, limiting the impact of any remaining SSRF vectors.

Generated by OpenCVE AI on April 21, 2026 at 21:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8126 The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the validate_file() Function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
History

Wed, 09 Jul 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Webtoffee
Webtoffee product Import Export For Woocommerce
CPEs cpe:2.3:a:webtoffee:product_import_export_for_woocommerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Webtoffee
Webtoffee product Import Export For Woocommerce

Wed, 26 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 12:15:00 +0000

Type Values Removed Values Added
Description The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the validate_file() Function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title Product Import Export for WooCommerce <= 2.5.0 - Authenticated (Administrator+) Server-Side Request Forgery via validate_file Function
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Webtoffee Product Import Export For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:23.164Z

Reserved: 2025-03-03T22:52:35.747Z

Link: CVE-2025-1912

cve-icon Vulnrichment

Updated: 2025-03-26T13:19:42.165Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-26T12:15:15.353

Modified: 2025-07-09T16:49:31.477

Link: CVE-2025-1912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:45:25Z

Weaknesses