CVE-2025-12894 is a vulnerability classified under CWE-552 (Files or Directories Accessible to External Parties) affecting the WordPress plugin 'Import WP – Export and Import CSV and XML files to WordPress' developed by jcollings. The issue exists in all versions up to and including 2.14.17 and stems from insufficient access control on the directories used for import and export operations (/exportwp and /importwp). Specifically, the plugin fails to implement .htaccess or equivalent web server protections to restrict unauthorized HTTP access to these directories. As a result, unauthenticated attackers can directly access files stored in these locations, potentially extracting sensitive information such as exported data or import files that may contain confidential content. The vulnerability does not require any user interaction or authentication, making exploitation straightforward if the directories are accessible over the web. The CVSS 3.1 base score of 5.3 reflects a medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and limited confidentiality impact (C:L). No integrity or availability impacts are noted. There are no known exploits in the wild at the time of publication, and no official patches have been released yet. The vulnerability was publicly disclosed on November 21, 2025, with the Wordfence team as the assigner. This vulnerability highlights the importance of proper web server configuration and access control for directories handling sensitive data in WordPress plugins.

For European organizations, the exposure of sensitive import/export data can lead to confidentiality breaches, potentially revealing business-critical information, customer data, or proprietary content. This can undermine trust, violate data protection regulations such as GDPR, and result in reputational damage or legal penalties. Since the vulnerability allows unauthenticated access, attackers can easily harvest data without leaving obvious traces or requiring sophisticated techniques. Organizations relying on this plugin for data migration, backups, or content management are at risk of data leakage. The impact is particularly significant for sectors handling sensitive personal or financial data, including e-commerce, healthcare, finance, and government websites. Additionally, the exposure of import files could facilitate further attacks if those files contain credentials or configuration details. Although the vulnerability does not directly affect system integrity or availability, the confidentiality impact alone warrants prompt remediation. The lack of known exploits suggests a window of opportunity for defenders to act before widespread abuse occurs.

European organizations should immediately audit their WordPress installations to identify the presence of the vulnerable Import WP plugin. Until an official patch is released, administrators should implement manual mitigations by restricting web access to the /exportwp and /importwp directories. This can be achieved by adding .htaccess files with 'Deny from all' directives or equivalent rules in Nginx or other web servers to prevent HTTP access. Additionally, moving these directories outside the web root or configuring the plugin to store files in non-public locations can reduce exposure. Monitoring web server logs for unauthorized access attempts to these paths is recommended to detect potential exploitation. Organizations should also review and limit the permissions of files stored in these directories to minimize sensitive data exposure. Keeping WordPress core and all plugins updated is essential, and administrators should subscribe to vendor advisories for timely patch releases. Finally, conducting regular security assessments and penetration tests focusing on file access controls can help identify similar weaknesses proactively.