CVE-2025-12137: 
WordPress vulnerability analysis and mitigation

The Import WP – Export and Import CSV and XML files to WordPress plugin is vulnerable to Arbitrary File Read in versions up to and including 2.14.16. The vulnerability was discovered and reported by Wordfence, with disclosure on October 31, 2025. The issue affects the plugin's REST API endpoint which accepts arbitrary absolute file paths without proper validation in the 'attachfile()' function when handling 'filelocal' actions (NVD).

The vulnerability exists due to improper validation of file paths in the plugin's REST API endpoint. When handling 'filelocal' actions, the 'attachfile()' function accepts arbitrary absolute file paths via the 'local_url' parameter without adequate validation. This allows authenticated attackers with administrator-level access to read arbitrary files on the server's filesystem, including sensitive configuration files and system files. The vulnerability has been assigned a CVSS v3.1 score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N (Wordfence).

The vulnerability allows authenticated attackers with administrator-level access to read arbitrary files on the server's filesystem. This could lead to exposure of sensitive information contained in configuration files and system files, potentially compromising the security of the WordPress installation (NVD).

The vulnerability has been patched in version 2.14.17 of the Import WP plugin. The fix implements a whitelist-based validation system using the 'iwp/importer/localfile/alloweddirectories' filter to restrict file access to specific directories. Users are strongly advised to update to version 2.14.17 or later (GitHub).