CVE-2025-12732
BaseFortify
Publication date: 2025-11-12
Last updated on: 2025-11-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wp_ultimate_csv_importer | 7.33.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the WP Import β Ultimate CSV XML Importer WordPress plugin allows authenticated users with Author-level access or higher to access sensitive information without proper authorization. Specifically, the showsetting() function lacked sufficient authorization checks, enabling these users to extract sensitive data such as OpenAI API keys configured in the plugin's admin interface. The root cause is missing or incomplete permission checks in AJAX handlers managing plugin settings, which was fixed in version 7.33.1 by adding proper capability verifications. [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access and potential exposure of sensitive information, including OpenAI API keys stored in the plugin settings. Attackers with Author-level access or higher could extract or manipulate these settings, potentially leading to privilege escalation or compromise of the WordPress site's integrity. Unauthorized modification or deletion of critical plugin configurations is also possible, which could disrupt site functionality or security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring AJAX requests to the WordPress plugin's SendPassword.php file, specifically looking for calls to the showsetting() or showOptions() functions. You can check for unauthorized access attempts by inspecting HTTP POST requests containing the 'securekey' nonce parameter targeting these endpoints. For example, using command-line tools like curl or wget, you can attempt to access the showsetting() function with and without proper authorization to verify if the plugin properly restricts access. A sample command to test might be: curl -X POST -d 'action=showsetting&securekey=INVALID_OR_MISSING_NONCE' https://yourwordpresssite.com/wp-admin/admin-ajax.php - to check if unauthorized requests are rejected. Additionally, reviewing web server logs for suspicious POST requests to admin-ajax.php with parameters related to the plugin can help detect exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update the WP Import β Ultimate CSV XML Importer plugin to version 7.33.1 or later, as this version includes the fix that adds proper authorization checks to the vulnerable AJAX handlers. If updating is not immediately possible, restrict access to the WordPress admin area to trusted users only, especially those with Author-level access or higher, and monitor for suspicious activity. Additionally, consider temporarily disabling the plugin until the update can be applied. Ensure that all users have appropriate capabilities assigned and that nonces are properly verified in AJAX requests to prevent unauthorized access to sensitive settings such as OpenAI API keys. [1, 3]