Directory Traversal Vulnerability in Product Import Export for WooCommerce by WordPress
CVE-2025-1769

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Product Import Export For WooCommerce – Import Export Product Csv Suite
Vendor: CVE Published:; 26 March 2025

What is CVE-2025-1769?

The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is susceptible to a Directory Traversal vulnerability. This flaw affects all versions up to and including 2.5.0, allowing authenticated users with Administrator-level access and above to exploit the download_file() function. Attackers can access arbitrary log files on the server, potentially exposing sensitive information and internal data, thereby compromising the integrity and confidentiality of the web application.

Affected Version(s)

Product Import Export for WooCommerce – Import Export Product CSV Suite * <= 2.5.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/product-import...

https://wordpress.org/plugins/product-import-export-for-w...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2025
Vulnerability Reserved
Feb 27, 2025

Credit

Hay Mizrachi