CVE-2025-14627: CWE-918 Server-Side Request Forgery (SSRF) in smackcoders WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data.
AI Analysis
Technical Summary
The WP Ultimate CSV Importer WordPress plugin suffers from a Server-Side Request Forgery vulnerability (CWE-918) due to insufficient validation of URLs after Bitly shortlink redirection. While the initial URL is validated with wp_http_validate_url(), the plugin's unshorten_bitly_url() function follows redirects without re-validating the resolved URL. This allows authenticated users with Contributor or higher privileges to coerce the server into making HTTP requests to internal network resources, including localhost, private IP addresses, and cloud metadata endpoints (e.g., 169.254.169.254). The vulnerability affects all versions up to 7.35 and has a CVSS 3.1 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). No patch or official remediation guidance is provided in the available information.
Potential Impact
Exploitation of this SSRF vulnerability could allow an attacker with Contributor-level access or higher to make the WordPress server perform unauthorized HTTP requests to internal network resources. This may lead to disclosure of sensitive internal information, including data from localhost services, private IP ranges, or cloud metadata services. The vulnerability does not directly enable denial of service or code execution but can facilitate information leakage within the internal network context of the server.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, limit Contributor-level access to trusted users only and consider disabling or restricting the use of the WP Ultimate CSV Importer plugin. Monitor for updates from smackcoders regarding patches addressing this SSRF vulnerability.
CVE-2025-14627: CWE-918 Server-Side Request Forgery (SSRF) in smackcoders WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress
Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The WP Ultimate CSV Importer WordPress plugin suffers from a Server-Side Request Forgery vulnerability (CWE-918) due to insufficient validation of URLs after Bitly shortlink redirection. While the initial URL is validated with wp_http_validate_url(), the plugin's unshorten_bitly_url() function follows redirects without re-validating the resolved URL. This allows authenticated users with Contributor or higher privileges to coerce the server into making HTTP requests to internal network resources, including localhost, private IP addresses, and cloud metadata endpoints (e.g., 169.254.169.254). The vulnerability affects all versions up to 7.35 and has a CVSS 3.1 base score of 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). No patch or official remediation guidance is provided in the available information.
Potential Impact
Exploitation of this SSRF vulnerability could allow an attacker with Contributor-level access or higher to make the WordPress server perform unauthorized HTTP requests to internal network resources. This may lead to disclosure of sensitive internal information, including data from localhost services, private IP ranges, or cloud metadata services. The vulnerability does not directly enable denial of service or code execution but can facilitate information leakage within the internal network context of the server.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, limit Contributor-level access to trusted users only and consider disabling or restricting the use of the WP Ultimate CSV Importer plugin. Monitor for updates from smackcoders regarding patches addressing this SSRF vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-12T21:29:55.600Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6956a0c2db813ff03e6d157a
Added to database: 1/1/2026, 4:28:50 PM
Last enriched: 4/9/2026, 4:51:57 PM
Last updated: 5/10/2026, 3:47:50 PM
Views: 276
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.