CVE-2025-12137
BaseFortify
Publication date: 2025-11-01
Last updated on: 2025-11-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| importwp | jc-importer | 2.14.17 |
| importwp | importwp | 2.14.17 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-12137 is an Absolute Path Traversal vulnerability in the Import WP β Export and Import CSV and XML files to WordPress plugin. It occurs because the plugin's REST API endpoint accepts arbitrary absolute file paths without proper validation in the 'attach_file()' function when handling 'file_local' actions. This allows authenticated attackers with administrator-level access or higher to read arbitrary files on the server's filesystem, including sensitive configuration and system files, by manipulating the 'local_url' parameter. The vulnerability arises from insufficient input validation that permits attackers to specify file paths outside intended directories, enabling unauthorized file access. [3, 4]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator-level access to read arbitrary files on the server, potentially exposing sensitive configuration files, system files, or other confidential data. This unauthorized file access can lead to information disclosure, which may facilitate further attacks such as credential theft or system compromise. Although the vulnerability does not directly allow code execution or denial of service, the exposure of sensitive files can have serious security implications. [3, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively impact compliance with standards and regulations such as GDPR and HIPAA because it allows unauthorized access to sensitive files that may contain personal data or protected health information. Exposure of such data violates confidentiality requirements mandated by these regulations, potentially leading to data breaches, legal penalties, and loss of trust. Organizations using the affected plugin must address this vulnerability promptly to maintain compliance and protect sensitive information. [3, 4]