CVE-2025-48144: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Import Export For WooCommerce WordPress plugin, identified as CVE-2025-48144. The vulnerability, which allows Stored XSS attacks, affects versions through 1.6.2 of the plugin. The issue was discovered by researcher Nguyen Thi Huyen Trang (Skalucy) and was publicly disclosed on May 16, 2025 (Wiz, Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with the vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and allows unauthenticated attackers to perform CSRF attacks that can lead to stored XSS (NVD, Wiz).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. The combination of CSRF with stored XSS capabilities increases the potential impact as it could lead to persistent malicious code execution in the context of other users' sessions (Patchstack).

As of the disclosure date, no official fix has been released for this vulnerability. Website administrators running affected versions of the Import Export For WooCommerce plugin should consider disabling the plugin until a patch becomes available (Patchstack).