Path Traversal Vulnerability in Woocommerce CSV Importer by WooCommerce
CVE-2018-25325

8.7HIGH

Key Information:

Vendor

WooCommerce-csvimport

Status
WooCommerce Csv-importer
Vendor
CVE Published:
17 May 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2018-25325?

The Woocommerce CSV Importer version 3.3.6 is vulnerable to path traversal attacks, enabling authenticated users to delete arbitrary files. By exploiting the delete_export_file AJAX action, attackers can submit specially crafted POST requests containing directory traversal sequences in the filename parameter. This flaw can lead to the removal of sensitive files, such as wp-config.php, thereby jeopardizing the security of the application and its data.

Affected Version(s)

WooCommerce CSV-Importer 3.3.6

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2018-25325 - Proof of Concept

References

https://www.exploit-db.com/exploits/44433
exploit
http://lenonleite.com.br/
product
https://www.vulncheck.com/advisories/woocommerce-csv-impo...
third-party-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lenon Leite
.