Server-Side Request Forgery Vulnerability in WP Import Plugin by WordPress
CVE-2025-14627

6.4MEDIUM

Key Information:

Vendor

WordPress
Status
WP Import – Ultimate Csv Xml Importer For WordPress
Vendor
CVE Published:
1 January 2026

What is CVE-2025-14627?

The WP Import – Ultimate CSV XML Importer plugin for WordPress exposes a vulnerability allowing authenticated users with Contributor-level access or higher to exploit Server-Side Request Forgery. This occurs due to improper validation in the upload_function() method when handling Bitly shortlink redirects. Although the initial URL is validated, the final redirect URL is not checked, enabling attackers to initiate HTTP requests to arbitrary internal services. This can lead to the unauthorized exposure of sensitive data, including internal endpoints and cloud metadata.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WP Import – Ultimate CSV XML Importer for WordPress * <= 7.35

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/wp-ultimate-cs...
https://plugins.trac.wordpress.org/browser/wp-ultimate-cs...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dieu Link
GCSC Vietnam
JSON
.