cleantalk
Vulnerabilities and Security Researches

Import WP – Export and Import CSV and XML files to WordPress, CVE-2025-12894

CVE, Research URL

CVE-2025-12894

Home page URL

Security reports for Import WP – Export and Import CSV and XML files to WordPress

Application

Import WP – Export and Import CSV and XML files to WordPress

Published on
Nov 21, 2025
Research Description
The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.14.17 via the import/export functionality and a lack of .htaccess protection. This makes it possible for unauthenticated attackers to extract sensitive data from exports stored in /exportwp and import data stored in /importwp.
Affected versions
max 2.14.18.
Status
vulnerable
Previous vulnerability researches
CYAN Backup (CVE-2024-52390) , Nov 15, 2024
CYAN Backup (CVE-2025-12092) , Dec 11, 2025
CYAN Backup (CVE-2024-9662) , May 19, 2025
CYAN Backup (CVE-2024-9663) , May 19, 2025
New vulnerability
Import WP – Export and Import CSV and XML files to WordPress (CVE-2025-12894) , Dec 12, 2025
SKT Skill Bar (CVE-2025-66090) , Dec 11, 2025
Trail Manager (CVE-2025-13682) , Dec 11, 2025
Course Booking System (CVE-2025-12042) , Dec 11, 2025
Chamber Dashboard Business Directory (CVE-2025-13414) , Dec 11, 2025