CVE-2025-12137 is a vulnerability classified under CWE-73 (External Control of File Name or Path) found in the WordPress plugin 'Import WP – Export and Import CSV and XML files to WordPress' developed by jcollings. The vulnerability affects all versions up to and including 2.14.16. The root cause is insufficient validation of file paths in the plugin's REST API endpoint, specifically within the 'attach_file()' function when processing 'file_local' actions. This endpoint accepts a 'local_url' parameter that can be manipulated by an authenticated attacker with administrator-level privileges to specify arbitrary absolute file paths. Consequently, the attacker can read any file on the server's filesystem that the web server user has permission to access, including sensitive WordPress configuration files (such as wp-config.php), system files, and potentially other sensitive data. The vulnerability does not require user interaction but does require high privileges (administrator or above). The CVSS v3.1 base score is 4.9, reflecting medium severity, with a vector indicating network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. There are no known exploits in the wild at the time of publication (November 1, 2025), and no patches have been linked yet. This vulnerability could be leveraged for information disclosure that may facilitate further attacks or compromise.

For European organizations, the impact of CVE-2025-12137 primarily involves confidentiality breaches due to arbitrary file read capabilities. Attackers with administrator access could extract sensitive configuration files containing database credentials, API keys, or other secrets, potentially leading to broader compromise of the WordPress site and underlying infrastructure. This could result in data leakage, intellectual property theft, or exposure of personal data protected under GDPR, leading to regulatory penalties and reputational damage. Since exploitation requires administrator privileges, the threat is somewhat mitigated by proper access controls; however, insider threats or compromised admin accounts could be leveraged. Organizations running WordPress sites with this plugin, especially those handling sensitive or regulated data, face increased risk. The vulnerability does not affect integrity or availability directly but can be a stepping stone for more severe attacks. The lack of known exploits reduces immediate risk but should not delay remediation efforts.

1. Immediately audit and restrict administrator-level access to WordPress sites using this plugin to trusted personnel only. 2. Monitor REST API usage logs for unusual or unauthorized 'file_local' action requests, focusing on the 'local_url' parameter. 3. Implement Web Application Firewall (WAF) rules to detect and block attempts to access arbitrary file paths via the vulnerable endpoint. 4. Disable or remove the Import WP plugin if it is not essential to reduce attack surface. 5. Apply principle of least privilege on the web server filesystem to limit file read permissions to only necessary files. 6. Stay alert for official patches or updates from the plugin vendor and apply them promptly once available. 7. Consider isolating WordPress instances or running them in hardened containers to limit impact of potential breaches. 8. Conduct regular security assessments and penetration tests focusing on REST API endpoints. 9. Educate administrators on the risks of elevated privileges and enforce strong authentication mechanisms such as MFA.