平台
wordpress
组件
product-import-export-for-woo
修复版本
1.10.0
2.5.4
CVE-2025-1912 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Product Import Export for WooCommerce – Import Export Product CSV Suite plugin. This flaw allows authenticated attackers, specifically those with administrator-level access, to initiate web requests to arbitrary locations through the validate_file() function. The vulnerability impacts versions 1.0.0 through 2.5.0 of the plugin, and a patch is available in version 2.5.4.
The SSRF vulnerability allows an authenticated administrator to craft malicious requests that originate from the WordPress application. This can be exploited to query internal services that are not directly accessible from the outside world, potentially exposing sensitive data or allowing attackers to interact with internal systems. For example, an attacker could attempt to access internal APIs, database management interfaces, or other administrative panels. The impact is amplified by the plugin's popularity and widespread use in e-commerce environments, potentially affecting a large number of online stores. Successful exploitation could lead to data breaches, unauthorized access to internal resources, and even complete compromise of the web server.
This vulnerability was publicly disclosed on March 26, 2025. There is currently no indication of active exploitation in the wild, but the SSRF nature of the vulnerability makes it a potential target for opportunistic attackers. The plugin's popularity increases the likelihood of exploitation if a public proof-of-concept is released. It is not currently listed on the CISA KEV catalog.
E-commerce businesses using WordPress and the Product Import Export for WooCommerce plugin are at risk. Specifically, sites running versions 1.0.0 through 2.5.0 are vulnerable. Shared hosting environments where plugin updates are managed by the hosting provider may be particularly susceptible if they haven't applied the update.
• wordpress / composer / npm:
grep -r 'validate_file()' /var/www/html/wp-content/plugins/product-import-export-for-woocommerce/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/product-import-export-for-woocommerce/ | grep Server• wordpress / composer / npm:
wp plugin list | grep 'Product Import Export for WooCommerce'• wordpress / composer / npm:
wp plugin update product-import-export-for-woocommercedisclosure
漏洞利用状态
EPSS
0.13% (33% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-1912 is to upgrade the Product Import Export for WooCommerce plugin to version 2.5.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the plugin's import/export functionality to trusted users only. Web Application Firewalls (WAFs) can be configured to block suspicious outbound requests originating from the plugin, specifically those targeting internal IP addresses or unusual domains. Monitor WordPress access logs for unusual outbound requests originating from the plugin’s files. After upgrading, confirm the fix by attempting to trigger the vulnerable function with a known malicious URL and verifying that the request is blocked or handled safely.
将 Product Import Export for WooCommerce 插件更新到 2.5.4 或更高版本以缓解 SSRF 漏洞。 此更新解决了 `validate_file()` 函数中的缺陷,该缺陷允许经过身份验证的攻击者发起任意 Web 请求。 在更新插件之前,请务必备份您的网站。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-1912 is a Server-Side Request Forgery vulnerability affecting versions 1.0.0–2.5.0 of the Product Import Export for WooCommerce plugin, allowing authenticated admins to make arbitrary web requests.
Yes, if you are using Product Import Export for WooCommerce versions 1.0.0 through 2.5.0, you are vulnerable to this SSRF vulnerability.
Upgrade the Product Import Export for WooCommerce plugin to version 2.5.4 or later to resolve the vulnerability. Consider temporary restrictions if immediate upgrade is not possible.
There is currently no indication of active exploitation in the wild, but the vulnerability's nature makes it a potential target.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。