Cybersecurity Vulnerabilities

CVE-2025-12894: Critical Data Exposure in Import WP WordPress Plugin

November 21, 2025 - By 

Overview

CVE-2025-12894 is a medium-severity vulnerability affecting the “Import WP – Export and Import CSV and XML files to WordPress” plugin for WordPress. This vulnerability allows unauthenticated attackers to potentially access sensitive data due to insufficient access control on exported and imported files. This flaw exists in versions up to and including 2.14.17.

Technical Details

The Import WP plugin versions up to 2.14.17 are vulnerable to sensitive information exposure. The root cause of the vulnerability lies in the improper protection of the /exportwp and /importwp directories. These directories, which store exported and imported files respectively, lack proper .htaccess protection. As a result, an unauthenticated attacker can directly access these directories and download sensitive data contained within the exported files, or potentially upload malicious data to be imported.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-12894 is 5.3 (Medium).

  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality Impact (C): Low (L)
  • Integrity Impact (I): None (N)
  • Availability Impact (A): None (N)

This score reflects the ease with which an attacker can exploit the vulnerability over the network and the potential for data disclosure.

Possible Impact

Successful exploitation of CVE-2025-12894 can lead to:

  • Data Leakage: Exposure of sensitive information stored within WordPress, potentially including user data, configuration details, and other confidential information contained within the exported files.
  • Unauthorized Data Modification: While the CVSS score doesn’t reflect integrity impact, the ability to upload import files opens the door for more advanced attacks, potentially allowing malicious data to be imported and modify the WordPress site.
  • Reputational Damage: A data breach can damage the reputation of the website owner.

Mitigation and Patch Steps

The recommended solution is to update the “Import WP – Export and Import CSV and XML files to WordPress” plugin to the latest version. The vulnerability is addressed in versions after 2.14.17.

  1. Update the Plugin: Log in to your WordPress admin dashboard and navigate to the “Plugins” section. Update the “Import WP” plugin to the latest available version.
  2. Verify .htaccess Protection (If possible): After updating, ensure that the /exportwp and /importwp directories are properly protected by an .htaccess file that denies direct access from the web. Check the plugin documentation for details on how this is implemented in the patched version.
  3. Review Existing Exports: Consider reviewing and potentially deleting any existing export files in the /exportwp directory to minimize potential risk.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *