CVE-2025-12894 is a vulnerability classified under CWE-552 (Files or Directories Accessible to External Parties) affecting the Import WP – Export and Import CSV and XML files to WordPress plugin developed by jcollings. This plugin facilitates the import and export of CSV and XML files within WordPress environments. The vulnerability stems from the plugin’s failure to protect critical directories (/exportwp and /importwp) with .htaccess or equivalent access control mechanisms. As a result, these directories are publicly accessible over the web, allowing unauthenticated attackers to directly access and download sensitive data files stored there. These files may contain confidential information exported or imported through the plugin, such as user data, site configuration, or other sensitive content. The vulnerability affects all versions up to and including 2.14.17. The CVSS v3.1 base score is 5.3, indicating a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), confidentiality impact low (C:L), and no impact on integrity or availability (I:N/A:N). There are no known exploits in the wild at the time of publication. The vulnerability is significant because WordPress is widely used across many sectors, and plugins often handle sensitive data. Without proper directory access controls, sensitive export/import files can be exposed to any internet user, potentially leading to data leakage. The lack of patch links suggests that no official fix was available at the time of reporting, so mitigation relies on manual configuration changes or plugin updates when released.

For European organizations, this vulnerability poses a risk of sensitive data exposure from WordPress sites using the affected plugin. Confidential information such as user details, business data, or configuration files could be accessed by unauthorized parties, potentially violating GDPR and other data protection regulations. This could lead to reputational damage, regulatory fines, and loss of customer trust. The impact is limited to confidentiality, with no direct effect on data integrity or system availability. Organizations in sectors with strict data privacy requirements, such as finance, healthcare, and government, are particularly vulnerable. Since the vulnerability requires no authentication and can be exploited remotely, it increases the attack surface for data breaches. However, the absence of known exploits and the medium severity score suggest that while the risk is real, it may not be actively exploited yet. Nonetheless, the ease of exploitation and potential regulatory consequences make it a significant concern for European entities relying on this plugin for data import/export operations.

European organizations should immediately verify if they use the Import WP plugin version 2.14.17 or earlier. Until an official patch is released, administrators should manually restrict access to the /exportwp and /importwp directories by implementing web server access controls such as .htaccess rules for Apache or equivalent configurations for Nginx and IIS. This can include denying all external HTTP requests to these directories or restricting access to trusted IP addresses only. Additionally, organizations should audit exported and imported files to ensure no sensitive data is unnecessarily stored or retained in these directories. Monitoring web server logs for unauthorized access attempts to these paths can help detect exploitation attempts. Organizations should subscribe to vendor notifications or security mailing lists to apply official patches promptly once available. As a longer-term measure, consider alternative plugins with better security practices or custom import/export solutions that enforce strict access controls. Regular security assessments and plugin inventory reviews are recommended to identify and remediate similar risks proactively.