CVE-2025-12137 is a vulnerability classified under CWE-73 (External Control of File Name or Path) found in the Import WP – Export and Import CSV and XML files to WordPress plugin developed by jcollings. The flaw exists in all plugin versions up to and including 2.14.16. The vulnerability stems from the plugin's REST API endpoint that handles 'file_local' actions via the 'attach_file()' function. This function accepts a 'local_url' parameter representing a file path on the server. Due to insufficient validation or sanitization of this parameter, an authenticated attacker with administrator privileges can supply arbitrary absolute file paths. This allows the attacker to read arbitrary files on the server's filesystem, including sensitive configuration files (e.g., wp-config.php) and system files, potentially exposing credentials, keys, or other sensitive data. The attack vector requires network access to the WordPress REST API and valid admin credentials, but no additional user interaction is needed. The CVSS v3.1 base score is 4.9, reflecting medium severity, with high impact on confidentiality but no impact on integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. This vulnerability highlights the risk of insufficient input validation in REST API endpoints, especially in plugins that handle file operations.

For European organizations, this vulnerability poses a significant risk of sensitive data exposure if the affected plugin is in use on WordPress sites. Attackers with administrator access can read critical files, potentially gaining insight into database credentials, API keys, or other confidential information stored on the server. This could facilitate further attacks such as privilege escalation, lateral movement, or data exfiltration. Organizations in sectors with strict data protection regulations (e.g., GDPR) could face compliance issues and reputational damage if sensitive personal or business data is exposed. The impact is particularly relevant for organizations relying on WordPress for public-facing websites or internal portals that use this plugin. Since exploitation requires admin-level access, the threat is somewhat mitigated by existing access controls, but insider threats or compromised admin accounts could still lead to exploitation. The vulnerability does not affect system availability or integrity directly but compromises confidentiality, which is critical for maintaining trust and compliance.

To mitigate this vulnerability, European organizations should: 1) Immediately audit WordPress installations to identify the presence of the Import WP – Export and Import CSV and XML files to WordPress plugin and verify the version in use. 2) If possible, update the plugin to a patched version once available; if no patch exists yet, consider temporarily disabling the plugin or restricting access to the REST API endpoints related to this plugin. 3) Enforce strict administrator account security, including strong passwords, multi-factor authentication (MFA), and monitoring for suspicious admin activities to reduce the risk of credential compromise. 4) Implement web application firewalls (WAFs) with custom rules to detect and block suspicious REST API calls attempting to exploit file path parameters. 5) Conduct regular file integrity monitoring on WordPress servers to detect unauthorized access or changes to sensitive files. 6) Limit exposure of the WordPress REST API by restricting access to trusted IP addresses or networks where feasible. 7) Educate administrators on the risks of granting admin privileges and encourage the principle of least privilege. These steps collectively reduce the attack surface and help prevent exploitation until an official patch is released.