CVE-2025-1912: 
WordPress vulnerability analysis and mitigation

The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to and including 2.5.0 via the validate_file() Function. This vulnerability was discovered on March 25, 2025 and assigned CVE-2025-1912. The vulnerability allows authenticated attackers with Administrator-level access and above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services (NVD).

The vulnerability exists in the validate_file() function within the plugin's import functionality. It has a CVSS v3.1 Base Score of 7.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N. The vulnerability is classified as CWE-918 (Server-Side Request Forgery) (NVD).

The vulnerability allows authenticated attackers with administrator privileges to send arbitrary web requests from the server. This could enable attackers to access and modify information from internal services, potentially leading to data breaches or system compromise (NVD).

Users should immediately update to version 2.5.1 or later of the Product Import Export for WooCommerce plugin, which contains security fixes for this vulnerability. The update was released on March 25, 2025 and includes patches for SSRF, Arbitrary File Deletion, PHP Object Injection, and Directory Traversal vulnerabilities (WordPress Plugin).