HIGHCVE-2025-54029CVSS 7.7

CVE-2025-54029: Arbitrary File Access in WooCommerce CSV Import Export

Platform

wordpress

Component

extendons-eo-wooimport-export

Fixed in

2.0.7

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2025-54029 is an Arbitrary File Access vulnerability affecting the WooCommerce CSV Import Export plugin. This vulnerability allows attackers to potentially read sensitive files on the server. It impacts versions 0.0.0 through 2.0.6 of the plugin, and a fix is available in version 2.0.7.

Impact and Attack Scenarios

The Arbitrary File Access vulnerability in WooCommerce CSV Import Export allows an attacker to bypass intended security restrictions and access files outside of the intended directory. This could lead to the exposure of sensitive data such as configuration files, database credentials, or even source code. A successful exploit could compromise the entire WordPress installation and potentially lead to further attacks, including remote code execution if sensitive files contain executable code or credentials for other systems. The impact is amplified if the server hosts multiple WordPress sites or if the exposed files contain credentials for other services.

Exploitation Context

This vulnerability was publicly disclosed on 2025-08-28. As of this date, there are no known public exploits or active campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog. The vulnerability's ease of exploitation and potential impact warrant close monitoring.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.06% (18% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentextendons-eo-wooimport-export

Vendorextendons

Affected rangeFixed in

0.0.0 – 2.0.62.0.7

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2025-07-16
Published2025-08-28
Modified2026-04-28
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2025-54029 is to immediately upgrade the WooCommerce CSV Import Export plugin to version 2.0.7 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Carefully review file upload and import functionalities for any potential vulnerabilities. Monitor WordPress logs for suspicious file access attempts.

How to fix

Update the WooCommerce csv import export plugin to a patched version. Check the developer's website or the WordPress repository for the latest available version. Ensure you perform a full site backup before updating any plugin.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-54029 — Arbitrary File Access in WooCommerce CSV Import Export?

CVE-2025-54029 is a vulnerability in WooCommerce CSV Import Export allowing attackers to read files outside the intended directory. It affects versions 0.0.0–2.0.6 and has a CVSS score of 7.7 (HIGH).

Am I affected by CVE-2025-54029 in WooCommerce CSV Import Export?

You are affected if you are using WooCommerce CSV Import Export version 0.0.0 through 2.0.6. Check your plugin version and upgrade immediately if necessary.

How do I fix CVE-2025-54029 in WooCommerce CSV Import Export?

Upgrade the WooCommerce CSV Import Export plugin to version 2.0.7 or later. If immediate upgrade is not possible, implement WAF rules to block path traversal attempts.

Is CVE-2025-54029 being actively exploited?

As of 2025-08-28, there are no confirmed reports of active exploitation, but the vulnerability's potential impact warrants monitoring.

Where can I find the official WooCommerce advisory for CVE-2025-54029?

Refer to the extendons website and WordPress plugin repository for the latest updates and security advisories related to WooCommerce CSV Import Export.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

Scan free

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: None — no integrity impact. Attacker cannot modify data.
Availability: High — complete crash or resource exhaustion. Full denial of service.