Plataforma
wordpress
Componente
product-import-export-for-woo
Corrigido em
1.10.0
2.5.4
CVE-2025-1912 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Product Import Export for WooCommerce – Import Export Product CSV Suite plugin. This flaw allows authenticated attackers, specifically those with administrator-level access, to initiate web requests to arbitrary locations through the validate_file() function. The vulnerability impacts versions 1.0.0 through 2.5.0 of the plugin, and a patch is available in version 2.5.4.
The SSRF vulnerability allows an authenticated administrator to craft malicious requests that originate from the WordPress application. This can be exploited to query internal services that are not directly accessible from the outside world, potentially exposing sensitive data or allowing attackers to interact with internal systems. For example, an attacker could attempt to access internal APIs, database management interfaces, or other administrative panels. The impact is amplified by the plugin's popularity and widespread use in e-commerce environments, potentially affecting a large number of online stores. Successful exploitation could lead to data breaches, unauthorized access to internal resources, and even complete compromise of the web server.
This vulnerability was publicly disclosed on March 26, 2025. There is currently no indication of active exploitation in the wild, but the SSRF nature of the vulnerability makes it a potential target for opportunistic attackers. The plugin's popularity increases the likelihood of exploitation if a public proof-of-concept is released. It is not currently listed on the CISA KEV catalog.
E-commerce businesses using WordPress and the Product Import Export for WooCommerce plugin are at risk. Specifically, sites running versions 1.0.0 through 2.5.0 are vulnerable. Shared hosting environments where plugin updates are managed by the hosting provider may be particularly susceptible if they haven't applied the update.
• wordpress / composer / npm:
grep -r 'validate_file()' /var/www/html/wp-content/plugins/product-import-export-for-woocommerce/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/product-import-export-for-woocommerce/ | grep Server• wordpress / composer / npm:
wp plugin list | grep 'Product Import Export for WooCommerce'• wordpress / composer / npm:
wp plugin update product-import-export-for-woocommercedisclosure
Status do Exploit
EPSS
0.13% (percentil 33%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-1912 is to upgrade the Product Import Export for WooCommerce plugin to version 2.5.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the plugin's import/export functionality to trusted users only. Web Application Firewalls (WAFs) can be configured to block suspicious outbound requests originating from the plugin, specifically those targeting internal IP addresses or unusual domains. Monitor WordPress access logs for unusual outbound requests originating from the plugin’s files. After upgrading, confirm the fix by attempting to trigger the vulnerable function with a known malicious URL and verifying that the request is blocked or handled safely.
Atualize o plugin Product Import Export for WooCommerce para a versão 2.5.4 ou superior para mitigar a vulnerabilidade de SSRF. Esta atualização aborda a falha na função `validate_file()` que permite a atacantes autenticados realizar requisições web arbitrárias. Certifique-se de realizar uma cópia de segurança do seu site antes de atualizar o plugin.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-1912 is a Server-Side Request Forgery vulnerability affecting versions 1.0.0–2.5.0 of the Product Import Export for WooCommerce plugin, allowing authenticated admins to make arbitrary web requests.
Yes, if you are using Product Import Export for WooCommerce versions 1.0.0 through 2.5.0, you are vulnerable to this SSRF vulnerability.
Upgrade the Product Import Export for WooCommerce plugin to version 2.5.4 or later to resolve the vulnerability. Consider temporary restrictions if immediate upgrade is not possible.
There is currently no indication of active exploitation in the wild, but the vulnerability's nature makes it a potential target.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.