Server-Side Request Forgery Vulnerability in WP Import Plugin by WordPress
CVE-2025-14627

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: WP Ultimate Csv Importer – Import Csv, Xml & Excel Into WordPress
Vendor: CVE Published:; 1 January 2026

What is CVE-2025-14627?

The WP Import – Ultimate CSV XML Importer plugin for WordPress exposes a vulnerability allowing authenticated users with Contributor-level access or higher to exploit Server-Side Request Forgery. This occurs due to improper validation in the upload_function() method when handling Bitly shortlink redirects. Although the initial URL is validated, the final redirect URL is not checked, enabling attackers to initiate HTTP requests to arbitrary internal services. This can lead to the unauthorized exposure of sensitive data, including internal endpoints and cloud metadata.

Affected Version(s)

WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress 0 <= 7.35

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-ultimate-cs...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 1, 2026
Vulnerability Reserved
Dec 12, 2025

Credit

Dieu Link

GCSC Vietnam

CVE-2025-14627 Data

JSON