CVE-2025-12894
📋 TL;DR
The Import WP plugin for WordPress exposes sensitive data through unprotected directories. Unauthenticated attackers can access exported/imported files containing potentially confidential information. All WordPress sites using this plugin up to version 2.14.17 are affected.
💻 Affected Systems
- Import WP – Export and Import CSV and XML files to WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all exported/imported data including user information, configuration files, database dumps, or other sensitive content stored in the vulnerable directories.
Likely Case
Exposure of exported user data, content backups, or configuration files that could contain personally identifiable information or system details.
If Mitigated
Limited exposure if directories contain only non-sensitive test data or if proper access controls are implemented.
🎯 Exploit Status
Exploitation requires only web access to the vulnerable directories. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.14.18 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394624%40jc-importer&new=3394624%40jc-importer&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Import WP – Export and Import CSV and XML files to WordPress'. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Add .htaccess protection
linuxCreate .htaccess files in /exportwp and /importwp directories to block web access
echo 'Deny from all' > /path/to/wp-content/plugins/jc-importer/exportwp/.htaccess
echo 'Deny from all' > /path/to/wp-content/plugins/jc-importer/importwp/.htaccess
Remove vulnerable directories
linuxDelete or rename the vulnerable directories if not actively using import/export functionality
rm -rf /path/to/wp-content/plugins/jc-importer/exportwp
rm -rf /path/to/wp-content/plugins/jc-importer/importwp
🧯 If You Can't Patch
- Disable or remove the Import WP plugin entirely
- Implement web application firewall rules to block access to /exportwp and /importwp paths
🔍 How to Verify
Check if Vulnerable:
Check if /wp-content/plugins/jc-importer/exportwp/ and /wp-content/plugins/jc-importer/importwp/ directories are accessible via web browser without authenticationCheck Version:
wp plugin get jc-importer --field=versionVerify Fix Applied:
Verify plugin version is 2.14.18+ and test that /exportwp and /importwp directories return 403 Forbidden or are not accessible📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /exportwp/* or /importwp/* paths
- Unusual file downloads from plugin directories
- Multiple failed authentication attempts followed by directory access
Network Indicators:
- Unusual traffic patterns to plugin-specific directories
- Requests for .csv, .xml, .sql, or backup files from unauthorized IPs
SIEM Query:
source="web_access_logs" AND (uri_path="/wp-content/plugins/jc-importer/exportwp/*" OR uri_path="/wp-content/plugins/jc-importer/importwp/*") AND response_code=200