Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in extendons WooCommerce csv import export extendons-eo-wooimport-export allows Path Traversal.This issue affects WooCommerce csv import export: from n/a through <= 2.0.6.
Published: 2025-08-28
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Path Traversal flaw that allows an attacker to delete arbitrary files from the server. Because the plugin does not properly restrict uploaded CSV filenames, an attacker can craft a filename containing traversal sequences such as "../" and then trigger the import export process to remove any file in the file system. This results in a breach of integrity and availability, potentially removing critical configuration or application files.

Affected Systems

The flaw affects WordPress users who have installed the WooCommerce csv import export plugin by Extendons, versions up to and including 2.0.6. Any deployment that has an upgrade path to a later 2.0.x release will no longer be vulnerable.

Risk and Exploitability

The CVSS score is 7.7, indicating a high impact severity. The EPSS score of less than one percent suggests that real‑world exploitation is unlikely at present, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through the plugin’s import or export functionality, which can be accessed by users with sufficient permissions. An attacker who can trigger the import/export flow could delete critical server files, but would need appropriate access to the WordPress admin interface or to exploit the upload feature to input the malicious path.

Generated by OpenCVE AI on April 30, 2026 at 07:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WooCommerce csv import export plugin to the latest available version (2.0.7 or later).
  • If an upgrade is not possible, restrict the import/export feature to trusted administrator roles or disable it entirely for all users.
  • Configure a web application firewall or server configuration to block filename traversal patterns in upload and export requests, ensuring that only files within the expected directory are processed.

Generated by OpenCVE AI on April 30, 2026 at 07:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25980 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in extendons WooCommerce csv import export allows Path Traversal. This issue affects WooCommerce csv import export: from n/a through 2.0.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in extendons WooCommerce csv import export allows Path Traversal. This issue affects WooCommerce csv import export: from n/a through 2.0.6. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in extendons WooCommerce csv import export extendons-eo-wooimport-export allows Path Traversal.This issue affects WooCommerce csv import export: from n/a through <= 2.0.6.
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Thu, 28 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in extendons WooCommerce csv import export allows Path Traversal. This issue affects WooCommerce csv import export: from n/a through 2.0.6.
Title WordPress WooCommerce csv import export Plugin <= 2.0.6 - Arbitrary File Deletion Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:29.123Z

Reserved: 2025-07-16T08:51:50.629Z

Link: CVE-2025-54029

cve-icon Vulnrichment

Updated: 2025-08-28T13:28:09.984Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:16:06.043

Modified: 2026-04-23T15:32:43.990

Link: CVE-2025-54029

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:45:26Z

Weaknesses