The WP Import – Ultimate CSV XML Importer for WordPress plugin suffers from a CWE-200 vulnerability identified as CVE-2025-12732. The root cause is a missing authorization check in the showsetting() function, which is accessible to authenticated users with Author-level privileges or higher. This function exposes sensitive configuration data, including OpenAI API keys, which attackers can extract without additional user interaction. The vulnerability affects all plugin versions up to 7.33. The CVSS v3.1 score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts confidentiality only. The vulnerability does not affect integrity or availability. No patches have been linked yet, and no known exploits are reported in the wild. The exposure of API keys can lead to unauthorized use of OpenAI services, potentially incurring costs or data leakage. Since the flaw requires authenticated access at Author level, the risk is mitigated somewhat by proper user role management but remains significant in environments with multiple contributors or compromised accounts.

For European organizations, the primary impact is unauthorized disclosure of sensitive information, specifically OpenAI API keys configured in the plugin. This could lead to misuse of AI services, resulting in financial costs or data privacy concerns. Although the vulnerability does not directly compromise website integrity or availability, the exposure of API keys can indirectly affect business operations if attackers leverage these keys for malicious purposes. Organizations with multiple content authors or contributors are at higher risk due to the Author-level access requirement. The vulnerability could also facilitate further attacks if attackers use the exposed keys to gather additional intelligence or escalate privileges. Given the widespread use of WordPress in Europe, especially in Germany, the UK, and France, organizations in these countries are more likely to be affected. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure.

Organizations should immediately audit user roles and restrict Author-level access to trusted personnel only. Implement the principle of least privilege to minimize the number of users who can exploit this vulnerability. Monitor and rotate any exposed OpenAI API keys to prevent unauthorized use. Since no official patch is currently available, consider temporarily disabling or replacing the plugin with alternatives that do not have this vulnerability. Employ web application firewalls (WAFs) to detect and block suspicious requests targeting the showsetting() function. Regularly review plugin updates from the vendor and apply patches as soon as they are released. Additionally, conduct security awareness training for users with elevated privileges to recognize and report suspicious activity. Finally, implement logging and alerting on access to sensitive plugin functions to detect potential exploitation attempts early.