CVE-2025-1912
Published: 26 March 2025
Description
Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-1912, published on 2025-03-26, is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918 in the Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress. It affects all versions up to and including 2.5.0, specifically via the validate_file() function located in the plugin's admin/modules/import/classes/class-import-ajax.php file around line 175. The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N), indicating high confidentiality impact with changed scope.
Authenticated attackers possessing Administrator-level access or higher can exploit this SSRF flaw to compel the web server to make requests to arbitrary locations. This enables interaction with internal services inaccessible from the public internet, allowing attackers to query sensitive information or, in some cases, modify data on those services.
Advisories and patch details are available via referenced sources, including WordPress plugin changeset 3261194, which addresses the issue, and a Wordfence threat intelligence report. The plugin's developer page on WordPress.org provides further context for remediation. Security practitioners should apply the patch by updating the plugin beyond version 2.5.0.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SSRF allows admin-authenticated attackers to force server requests to arbitrary/internal locations, directly enabling internal network service discovery (T1046), querying sensitive data from information repositories (T1213), and modifying data on internal services (T1565).