CVE-2025-12137 is a vulnerability classified under CWE-73 (External Control of File Name or Path) affecting the WordPress plugin 'Import WP – Export and Import CSV and XML files to WordPress' by jcollings. The flaw exists in the plugin's REST API endpoint that handles 'file_local' actions via the 'attach_file()' function. This endpoint accepts arbitrary absolute file paths through the 'local_url' parameter without proper validation or sanitization. As a result, authenticated users with administrator-level privileges or higher can exploit this to perform arbitrary file reads on the server hosting the WordPress instance. This can expose sensitive files such as configuration files (e.g., wp-config.php), system files, or other data stored on the server. The vulnerability affects all plugin versions up to and including 2.14.16. The CVSS v3.1 base score is 4.9, reflecting medium severity, with attack vector network, low attack complexity, high privileges required, no user interaction, and high confidentiality impact but no integrity or availability impact. No public exploits have been reported yet, and no patches have been linked at the time of publication. The vulnerability was reserved on 2025-10-23 and published on 2025-11-01. The flaw highlights the risk of insufficient input validation in REST API endpoints that handle file paths, especially when exposed to privileged users.

The primary impact of this vulnerability is unauthorized disclosure of sensitive server-side files, which can include WordPress configuration files containing database credentials, API keys, or other secrets. This information disclosure can facilitate further attacks such as privilege escalation, lateral movement, or data exfiltration. Since exploitation requires administrator-level access, the threat is somewhat limited to insiders or attackers who have already compromised an admin account. However, given the widespread use of WordPress and this plugin, the vulnerability can be leveraged in multi-tenant hosting environments or by attackers who gain admin credentials through phishing or other means. The vulnerability does not affect integrity or availability directly but can significantly compromise confidentiality, undermining trust and potentially leading to broader system compromise. Organizations relying on this plugin without mitigation risk exposure of critical internal files, which can have regulatory and reputational consequences.

Immediate mitigation steps include restricting administrator access to trusted personnel only and auditing existing admin accounts for suspicious activity. Network-level controls such as web application firewalls (WAFs) can be configured to block or monitor requests to the vulnerable REST API endpoint, especially those containing suspicious 'local_url' parameters. Administrators should disable or remove the vulnerable plugin if it is not essential. Since no official patch is currently available, organizations should monitor the vendor’s announcements and apply updates promptly once released. Additionally, implementing file system permissions to limit the WordPress process's ability to read sensitive files can reduce exposure. Regularly scanning WordPress installations for outdated or vulnerable plugins and enforcing the principle of least privilege for admin accounts are also recommended. Logging and alerting on unusual file access patterns can help detect exploitation attempts.