CVE-2025-12732
📋 TL;DR
This vulnerability in the WP Import – Ultimate CSV XML Importer WordPress plugin allows authenticated attackers with Author-level access or higher to extract sensitive information including OpenAI API keys. The flaw exists due to missing authorization checks in the showsetting() function. All WordPress sites using this plugin up to version 7.33 are affected.
💻 Affected Systems
- WP Import – Ultimate CSV XML Importer for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal OpenAI API keys and other sensitive credentials, leading to unauthorized API usage, data exfiltration, and potential lateral movement to other systems.
Likely Case
Author-level users extract OpenAI API keys and other plugin configuration secrets, enabling unauthorized API calls and potential credential reuse attacks.
If Mitigated
With proper access controls and monitoring, impact is limited to potential information disclosure without further system compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.34 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3390161/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WP Import – Ultimate CSV XML Importer'. 4. Click 'Update Now' if available. 5. Alternatively, download version 7.34+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate wp-ultimate-csv-importer
Restrict User Roles
allRemove Author-level permissions from untrusted users
🧯 If You Can't Patch
- Remove OpenAI API keys and other sensitive credentials from plugin configuration
- Implement network segmentation to restrict outbound API calls from WordPress servers
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed PluginsCheck Version:
wp plugin get wp-ultimate-csv-importer --field=versionVerify Fix Applied:
Confirm plugin version is 7.34 or higher after update📡 Detection & Monitoring
Log Indicators:
- Unusual access to plugin admin pages by Author-level users
- Multiple failed authorization attempts on admin endpoints
Network Indicators:
- Unexpected outbound connections to OpenAI API from WordPress server
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters CONTAINS "showsetting" OR plugin="wp-ultimate-csv-importer")🔗 References
- https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L42
- https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L72
- https://plugins.trac.wordpress.org/changeset/3390161/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/25687ee6-a899-4089-966b-69578afd3fb6?source=cve
