cleantalk
Vulnerabilities and Security Researches

Import WP – Export and Import CSV and XML files to WordPress, CVE-2025-12894

CVE, Research URL

CVE-2025-12894

Home page URL

Security reports for Import WP – Export and Import CSV and XML files to WordPress

Application

Import WP – Export and Import CSV and XML files to WordPress

Published on
Nov 21, 2025
Research Description
The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.14.17 via the import/export functionality and a lack of .htaccess protection. This makes it possible for unauthenticated attackers to extract sensitive data from exports stored in /exportwp and import data stored in /importwp.
Affected versions
max 2.14.18.
Status
vulnerable
Previous vulnerability researches
wp-mpdf (CVE-2021-4342) , Jun 07, 2024
wp-mpdf (759deaefa4962cb2fbb05a1824851541db0e4ca8) , Jun 07, 2024
wp-mpdf (CVE-2021-4416) , Jun 07, 2024
wp-mpdf (CVE-2024-27962) , Jun 07, 2024
wp-mpdf (CVE-2025-60040) , Oct 11, 2025
New vulnerability
Master Addons for Elementor (CVE-2025-63055) , Dec 12, 2025
Ungapped Widgets (CVE-2025-12652) , Dec 12, 2025
S2B AI Assistant – ChatGPT, OpenAI, Content & Image Generator (CVE-2025-12973) , Dec 12, 2025
Import WP – Export and Import CSV and XML files to WordPress (CVE-2025-12894) , Dec 12, 2025
SKT Skill Bar (CVE-2025-66090) , Dec 11, 2025