Platform
wordpress
Component
product-import-export-for-woo
Fixed in
1.10.0
2.5.4
CVE-2025-1912 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Product Import Export for WooCommerce – Import Export Product CSV Suite plugin. This flaw allows authenticated attackers, specifically those with administrator-level access, to initiate web requests to arbitrary locations through the validate_file() function. The vulnerability impacts versions 1.0.0 through 2.5.0 of the plugin, and a patch is available in version 2.5.4.
The SSRF vulnerability allows an authenticated administrator to craft malicious requests that originate from the WordPress application. This can be exploited to query internal services that are not directly accessible from the outside world, potentially exposing sensitive data or allowing attackers to interact with internal systems. For example, an attacker could attempt to access internal APIs, database management interfaces, or other administrative panels. The impact is amplified by the plugin's popularity and widespread use in e-commerce environments, potentially affecting a large number of online stores. Successful exploitation could lead to data breaches, unauthorized access to internal resources, and even complete compromise of the web server.
This vulnerability was publicly disclosed on March 26, 2025. There is currently no indication of active exploitation in the wild, but the SSRF nature of the vulnerability makes it a potential target for opportunistic attackers. The plugin's popularity increases the likelihood of exploitation if a public proof-of-concept is released. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.13% (33% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-1912 is to upgrade the Product Import Export for WooCommerce plugin to version 2.5.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the plugin's import/export functionality to trusted users only. Web Application Firewalls (WAFs) can be configured to block suspicious outbound requests originating from the plugin, specifically those targeting internal IP addresses or unusual domains. Monitor WordPress access logs for unusual outbound requests originating from the plugin’s files. After upgrading, confirm the fix by attempting to trigger the vulnerable function with a known malicious URL and verifying that the request is blocked or handled safely.
Update the Product Import Export for WooCommerce plugin to version 2.5.4 or higher to mitigate the SSRF vulnerability. This update addresses the flaw in the `validate_file()` function that allows authenticated attackers to make arbitrary web requests. Ensure you back up your website before updating the plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-1912 is a Server-Side Request Forgery vulnerability affecting versions 1.0.0–2.5.0 of the Product Import Export for WooCommerce plugin, allowing authenticated admins to make arbitrary web requests.
Yes, if you are using Product Import Export for WooCommerce versions 1.0.0 through 2.5.0, you are vulnerable to this SSRF vulnerability.
Upgrade the Product Import Export for WooCommerce plugin to version 2.5.4 or later to resolve the vulnerability. Consider temporary restrictions if immediate upgrade is not possible.
There is currently no indication of active exploitation in the wild, but the vulnerability's nature makes it a potential target.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.