WordPress Plugin Vulnerabilities

Import WP – Export and Import CSV and XML files to WordPress < 2.14.18 - Unauthenticated Information Exposure

Description

The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.14.17 via the import/export functionality and a lack of .htaccess protection. This makes it possible for unauthenticated attackers to extract sensitive data from exports stored in /exportwp and import data stored in /importwp.

Affects Plugins

Plugin icon
jc-importer
Fixed in 2.14.18

References

CVE
CVE-2025-12894
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/28ca9590-dc0b-40c9-9de6-1480094ea8be

Classification

Type
FILE DOWNLOAD
OWASP top 10
A1: Injection
CWE
CWE-552
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
type5afe
Verified
No
WPVDB ID
d21e0229-bdf0-4ca8-9ad7-35f6c4284f83

Timeline

Publicly Published
2025-11-20 (about 4 months ago)
Added
2025-11-20 (about 4 months ago)
Last Updated
2025-11-21 (about 4 months ago)

Other

Published
Title
Published
2025-02-23
Title
Download Manager < 3.3.07 - Unauthenticated Data Exposure
Published
2022-11-28
Title
Wholesale Market for WooCommerce < 1.0.8 - Admin+ Arbitrary File Download
Published
2024-10-10
Title
Contact Form by Bit Form< 2.15.3 - Admin+ Arbitrary File Read
Published
2025-11-10
Title
Auto Amazon Links – Amazon Associates Affiliate Plugin <= 5.4.3 - Unauthenticated Arbitrary File Read
Published
2022-08-17
Title
All-in-One Video Gallery 2.5.8 - 2.6.0 - Unauthenticated Arbitrary File Download & SSRF