CVE-2025-12894 is a vulnerability categorized under CWE-552 (Files or Directories Accessible to External Parties) found in the Import WP – Export and Import CSV and XML files to WordPress plugin developed by jcollings. This plugin facilitates the import and export of CSV and XML files within WordPress environments. The vulnerability exists in all versions up to and including 2.14.17 due to the plugin's failure to implement proper access controls and lack of .htaccess file protection on the directories /exportwp and /importwp. These directories store exported and imported data files, which may contain sensitive information. Because these directories are accessible over the network without authentication, an unauthenticated attacker can directly retrieve sensitive data by accessing these paths. The vulnerability is remotely exploitable without any user interaction, making it relatively easy to exploit. The CVSS v3.1 base score is 5.3, reflecting a medium severity primarily due to the confidentiality impact. There is no impact on integrity or availability. No known exploits have been reported in the wild as of the publication date. The vulnerability highlights a common misconfiguration and design oversight in WordPress plugins where sensitive data directories are exposed without proper web server access restrictions.

The primary impact of CVE-2025-12894 is the unauthorized disclosure of sensitive data stored in the import/export directories of the affected WordPress plugin. Organizations using this plugin risk exposure of potentially confidential information such as user data, configuration details, or business-critical content contained in CSV or XML files. This could lead to privacy violations, regulatory non-compliance, and reputational damage. Since the vulnerability does not affect data integrity or availability, attackers cannot modify or disrupt services but can harvest data silently. The ease of exploitation and lack of authentication requirements increase the risk, especially for publicly accessible WordPress sites. Attackers could automate scanning for vulnerable sites and extract data en masse. This threat is particularly concerning for organizations handling sensitive or regulated data within WordPress environments. Although no active exploits are known, the vulnerability presents a clear vector for data leakage if left unmitigated.

To mitigate CVE-2025-12894, organizations should immediately restrict public access to the /exportwp and /importwp directories by implementing proper web server access controls. This can be achieved by adding .htaccess files with deny rules or configuring the web server (Apache, Nginx, etc.) to block external HTTP requests to these directories. Additionally, administrators should update the Import WP plugin to the latest version once a patch is released that addresses this issue. Until a patch is available, consider disabling the import/export functionality if not essential or moving the storage of import/export files to non-web-accessible locations. Regularly audit WordPress plugins for directory exposure and sensitive data leaks. Employ web application firewalls (WAFs) to detect and block suspicious requests targeting these paths. Finally, monitor logs for unusual access patterns to the affected directories to detect potential exploitation attempts early.