Arbitrary File Read Vulnerability in Import WP Plugin for WordPress
CVE-2025-12137

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Import WP – Export And Import Csv And Xml Files To WordPress
Vendor: CVE Published:; 1 November 2025

What is CVE-2025-12137?

The Import WP – Export and Import CSV and XML files to WordPress plugin is susceptible to an Arbitrary File Read vulnerability due to improper validation of file paths in its REST API endpoint. This flaw arises in the 'attach_file()' function, where the 'file_local' actions permit authenticated users, specifically those with administrator-level access, to access and read files from the server's filesystem. The exploitation of this vulnerability could lead to exposure of sensitive configuration and system files, posing significant security risks to affected installations.

Affected Version(s)

Import WP – Export and Import CSV and XML files to WordPress * <= 2.14.16

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/jc-importer/tr...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 1, 2025
Vulnerability Reserved
Oct 23, 2025

Credit

Jonas Benjamin Friedli

JSON