WordPress Plugin Vulnerabilities

WP Import – Ultimate CSV XML Importer for WordPress < 7.33.1 - Missing Authorization to Authenticated (Author+) Sensitive Information Exposure

Description

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin's admin interface.

Affects Plugins

Plugin icon
wp-ultimate-csv-importer
Fixed in 7.33.1

References

CVE
CVE-2025-12732
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/25687ee6-a899-4089-966b-69578afd3fb6

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
M Indra Purnama (type5afe)
Verified
No
WPVDB ID
662d9275-df16-451d-bd37-c298b2e11869

Timeline

Publicly Published
2025-11-11 (about 6 months ago)
Added
2025-11-11 (about 6 months ago)
Last Updated
2025-11-12 (about 6 months ago)

Other

Published
Title
Published
2026-03-12
Title
RSVP and Event Management < 2.7.17 - Unauthenticated Information Exposure
Published
2025-08-20
Title
Templately < 3.2.8 - Authenticated (Author+) Information Disclosure
Published
2023-09-08
Title
EWWW Image Optimizer < 7.2.1 - Sensitive Information Exposure
Published
2026-01-22
Title
Contact Form 7 GetResponse Extension <= 1.0.8 - Unauthenticated Information Exposure
Published
2026-02-03
Title
Magic Import Document Extractor <= 1.0.6 - Unauthenticated Sensitive Information Exposure