Platform
wordpress
Component
product-import-export-for-woo
Opgelost in
1.10.0
2.5.4
CVE-2025-1912 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Product Import Export for WooCommerce – Import Export Product CSV Suite plugin. This flaw allows authenticated attackers, specifically those with administrator-level access, to initiate web requests to arbitrary locations through the validate_file() function. The vulnerability impacts versions 1.0.0 through 2.5.0 of the plugin, and a patch is available in version 2.5.4.
The SSRF vulnerability allows an authenticated administrator to craft malicious requests that originate from the WordPress application. This can be exploited to query internal services that are not directly accessible from the outside world, potentially exposing sensitive data or allowing attackers to interact with internal systems. For example, an attacker could attempt to access internal APIs, database management interfaces, or other administrative panels. The impact is amplified by the plugin's popularity and widespread use in e-commerce environments, potentially affecting a large number of online stores. Successful exploitation could lead to data breaches, unauthorized access to internal resources, and even complete compromise of the web server.
This vulnerability was publicly disclosed on March 26, 2025. There is currently no indication of active exploitation in the wild, but the SSRF nature of the vulnerability makes it a potential target for opportunistic attackers. The plugin's popularity increases the likelihood of exploitation if a public proof-of-concept is released. It is not currently listed on the CISA KEV catalog.
E-commerce businesses using WordPress and the Product Import Export for WooCommerce plugin are at risk. Specifically, sites running versions 1.0.0 through 2.5.0 are vulnerable. Shared hosting environments where plugin updates are managed by the hosting provider may be particularly susceptible if they haven't applied the update.
• wordpress / composer / npm:
grep -r 'validate_file()' /var/www/html/wp-content/plugins/product-import-export-for-woocommerce/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/product-import-export-for-woocommerce/ | grep Server• wordpress / composer / npm:
wp plugin list | grep 'Product Import Export for WooCommerce'• wordpress / composer / npm:
wp plugin update product-import-export-for-woocommercedisclosure
Exploit Status
EPSS
0.13% (33% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-1912 is to upgrade the Product Import Export for WooCommerce plugin to version 2.5.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the plugin's import/export functionality to trusted users only. Web Application Firewalls (WAFs) can be configured to block suspicious outbound requests originating from the plugin, specifically those targeting internal IP addresses or unusual domains. Monitor WordPress access logs for unusual outbound requests originating from the plugin’s files. After upgrading, confirm the fix by attempting to trigger the vulnerable function with a known malicious URL and verifying that the request is blocked or handled safely.
Werk de Product Import Export for WooCommerce plugin bij naar versie 2.5.4 of hoger om de SSRF-kwetsbaarheid te mitigeren. Deze update pakt het probleem in de `validate_file()` functie aan, waardoor geauthenticeerde aanvallers willekeurige webverzoeken kunnen uitvoeren. Zorg ervoor dat u een back-up van uw website maakt voordat u de plugin bijwerkt.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-1912 is a Server-Side Request Forgery vulnerability affecting versions 1.0.0–2.5.0 of the Product Import Export for WooCommerce plugin, allowing authenticated admins to make arbitrary web requests.
Yes, if you are using Product Import Export for WooCommerce versions 1.0.0 through 2.5.0, you are vulnerable to this SSRF vulnerability.
Upgrade the Product Import Export for WooCommerce plugin to version 2.5.4 or later to resolve the vulnerability. Consider temporary restrictions if immediate upgrade is not possible.
There is currently no indication of active exploitation in the wild, but the vulnerability's nature makes it a potential target.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.