Executive Summary

CVE-2025-12137 is an Absolute Path Traversal vulnerability in the Import WP – Export and Import CSV and XML files to WordPress plugin. It occurs because the plugin's REST API endpoint accepts arbitrary absolute file paths without proper validation in the 'attach_file()' function when handling 'file_local' actions. This allows authenticated attackers with administrator-level access or higher to read arbitrary files on the server's filesystem, including sensitive configuration and system files, by manipulating the 'local_url' parameter. The vulnerability arises from insufficient input validation that permits attackers to specify file paths outside intended directories, enabling unauthorized file access. [3, 4]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with administrator-level access to read arbitrary files on the server, potentially exposing sensitive configuration files, system files, or other confidential data. This unauthorized file access can lead to information disclosure, which may facilitate further attacks such as credential theft or system compromise. Although the vulnerability does not directly allow code execution or denial of service, the exposure of sensitive files can have serious security implications. [3, 4]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability can negatively impact compliance with standards and regulations such as GDPR and HIPAA because it allows unauthorized access to sensitive files that may contain personal data or protected health information. Exposure of such data violates confidentiality requirements mandated by these regulations, potentially leading to data breaches, legal penalties, and loss of trust. Organizations using the affected plugin must address this vulnerability promptly to maintain compliance and protect sensitive information. [3, 4]

Useful 0 Not Useful 0