Escanear gratis
HIGHCVE-2025-1912CVSS 7.6

Product Import Export for WooCommerce <= 2.5.0 - Falsificación de Solicitud del Servidor Autenticada (Administrador+) a través de la Función validate_file

Plataforma

wordpress

Componente

product-import-export-for-woo

Corregido en

1.10.0

2.5.4

AI Confidence: highNVDEPSS 0.1%Revisado: may 2026
Ver en NVD
Guardar
Traduciendo a tu idioma…

CVE-2025-1912 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Product Import Export for WooCommerce – Import Export Product CSV Suite plugin. This flaw allows authenticated attackers, specifically those with administrator-level access, to initiate web requests to arbitrary locations through the validate_file() function. The vulnerability impacts versions 1.0.0 through 2.5.0 of the plugin, and a patch is available in version 2.5.4.

WordPress

Detecta esta CVE en tu proyecto

Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.

Escanear gratis

Impacto y Escenarios de Ataquetraduciendo…

The SSRF vulnerability allows an authenticated administrator to craft malicious requests that originate from the WordPress application. This can be exploited to query internal services that are not directly accessible from the outside world, potentially exposing sensitive data or allowing attackers to interact with internal systems. For example, an attacker could attempt to access internal APIs, database management interfaces, or other administrative panels. The impact is amplified by the plugin's popularity and widespread use in e-commerce environments, potentially affecting a large number of online stores. Successful exploitation could lead to data breaches, unauthorized access to internal resources, and even complete compromise of the web server.

Contexto de Explotacióntraduciendo…

This vulnerability was publicly disclosed on March 26, 2025. There is currently no indication of active exploitation in the wild, but the SSRF nature of the vulnerability makes it a potential target for opportunistic attackers. The plugin's popularity increases the likelihood of exploitation if a public proof-of-concept is released. It is not currently listed on the CISA KEV catalog.

Quién Está en Riesgotraduciendo…

E-commerce businesses using WordPress and the Product Import Export for WooCommerce plugin are at risk. Specifically, sites running versions 1.0.0 through 2.5.0 are vulnerable. Shared hosting environments where plugin updates are managed by the hosting provider may be particularly susceptible if they haven't applied the update.

Pasos de Deteccióntraduciendo…

• wordpress / composer / npm:

grep -r 'validate_file()' /var/www/html/wp-content/plugins/product-import-export-for-woocommerce/

• generic web:

curl -I https://your-wordpress-site.com/wp-content/plugins/product-import-export-for-woocommerce/ | grep Server

• wordpress / composer / npm:

wp plugin list | grep 'Product Import Export for WooCommerce'

• wordpress / composer / npm:

wp plugin update product-import-export-for-woocommerce

Cronología del Ataque

  1. Disclosure

    disclosure

Inteligencia de Amenazas

Estado del Exploit

Prueba de ConceptoDesconocido
CISA KEVNO
Exposición en InternetAlta

EPSS

0.13% (33% percentil)

CISA SSVC

Explotaciónnone
Automatizableno
Impacto Técnicopartial

Vector CVSS

INTELIGENCIA DE AMENAZAS· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N7.6HIGHAttack VectorNetworkCómo el atacante alcanza el objetivoAttack ComplexityLowCondiciones necesarias para explotarPrivileges RequiredHighNivel de autenticación requeridoUser InteractionNoneSi la víctima debe realizar una acciónScopeChangedImpacto más allá del componente afectadoConfidentialityHighRiesgo de exposición de datos sensiblesIntegrityLowRiesgo de modificación no autorizada de datosAvailabilityNoneRiesgo de interrupción del servicionextguardhq.com · Puntuación Base CVSS v3.1
¿Qué significan estas métricas?
Attack Vector
Red — explotable remotamente por internet. Sin acceso físico ni local. Mayor superficie de ataque.
Attack Complexity
Baja — sin condiciones especiales. El atacante puede explotar de forma confiable sin configuraciones raras.
Privileges Required
Alto — se requiere cuenta de administrador o privilegiada.
User Interaction
Ninguna — el ataque es automático y silencioso. La víctima no hace nada.
Scope
Cambiado — el ataque puede pivotar a otros sistemas más allá del componente vulnerable.
Confidentiality
Alto — pérdida total de confidencialidad. El atacante puede leer todos los datos.
Integrity
Bajo — el atacante puede modificar algunos datos con alcance limitado.
Availability
Ninguno — sin impacto en disponibilidad.

Software Afectado

Componenteproduct-import-export-for-woo
Proveedorwebtoffee
Rango afectadoCorregido en
1.0.0 – 1.9.91.10.0
2.0.0 – 2.5.32.5.4

Información del paquete

Instalaciones activas
90KConocido
Valoración del plugin
4.6
Requiere WordPress
3.0+
Compatible hasta
6.9.4
Requiere PHP
5.6+
Sitio web

Clasificación de Debilidad (CWE)

CWE-918

Cronología

  1. Reservado
  2. Publicada
  3. Modificada
  4. EPSS actualizado

Mitigación y Workaroundstraduciendo…

The primary mitigation for CVE-2025-1912 is to upgrade the Product Import Export for WooCommerce plugin to version 2.5.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the plugin's import/export functionality to trusted users only. Web Application Firewalls (WAFs) can be configured to block suspicious outbound requests originating from the plugin, specifically those targeting internal IP addresses or unusual domains. Monitor WordPress access logs for unusual outbound requests originating from the plugin’s files. After upgrading, confirm the fix by attempting to trigger the vulnerable function with a known malicious URL and verifying that the request is blocked or handled safely.

Cómo corregirlo

Actualice el plugin Product Import Export for WooCommerce a la versión 2.5.4 o superior para mitigar la vulnerabilidad de SSRF. Esta actualización aborda la falla en la función `validate_file()` que permite a atacantes autenticados realizar solicitudes web arbitrarias. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar el plugin.

Boletín de seguridad CVE

Análisis de vulnerabilidades y alertas críticas directamente en tu correo.

Preguntas frecuentestraduciendo…

What is CVE-2025-1912 — SSRF in Product Import Export for WooCommerce?

CVE-2025-1912 is a Server-Side Request Forgery vulnerability affecting versions 1.0.0–2.5.0 of the Product Import Export for WooCommerce plugin, allowing authenticated admins to make arbitrary web requests.

Am I affected by CVE-2025-1912 in Product Import Export for WooCommerce?

Yes, if you are using Product Import Export for WooCommerce versions 1.0.0 through 2.5.0, you are vulnerable to this SSRF vulnerability.

How do I fix CVE-2025-1912 in Product Import Export for WooCommerce?

Upgrade the Product Import Export for WooCommerce plugin to version 2.5.4 or later to resolve the vulnerability. Consider temporary restrictions if immediate upgrade is not possible.

Is CVE-2025-1912 being actively exploited?

There is currently no indication of active exploitation in the wild, but the vulnerability's nature makes it a potential target.

Where can I find the official Product Import Export for WooCommerce advisory for CVE-2025-1912?

Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.

¿Tu proyecto está afectado?

Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.

Escanear gratisBuscar CVEs