CVE-2025-14627 is a Server-Side Request Forgery (SSRF) vulnerability identified in the WP Import – Ultimate CSV XML Importer plugin for WordPress, maintained by smackcoders. The vulnerability exists in all plugin versions up to and including 7.35. The root cause is inadequate validation of URLs after following Bitly shortlink redirects within the plugin's upload_function() method. Initially, the plugin validates the user-supplied URL using WordPress's wp_http_validate_url() function. However, if the URL is a Bitly shortlink, the plugin calls unshorten_bitly_url() to follow the redirect chain to the final destination URL. Critically, this final URL is not re-validated, allowing an authenticated attacker with Contributor-level privileges or higher to supply a Bitly shortlink that resolves to internal network addresses or cloud metadata endpoints. This enables the attacker to coerce the server into making HTTP requests to internal resources such as localhost, private IP ranges (e.g., 10.x.x.x, 192.168.x.x), or cloud metadata services like 169.254.169.254. Such SSRF attacks can lead to unauthorized disclosure of sensitive internal data, potentially exposing credentials, configuration details, or other protected information. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (Contributor or higher), no user interaction, and a scope change due to potential internal resource access. No public exploits have been reported to date. The vulnerability affects a widely used WordPress plugin, increasing the potential attack surface for websites using this importer tool, especially those hosted in cloud environments or with sensitive internal networks. The flaw highlights the importance of validating URLs after all redirects, especially when dealing with URL shorteners that can mask the final destination. Organizations relying on this plugin should assess their exposure and apply mitigations promptly.

For European organizations, this SSRF vulnerability poses a significant risk, particularly for those using the WP Import – Ultimate CSV XML Importer plugin on WordPress sites that allow Contributor-level users to upload or import data. Exploitation could allow attackers to access internal network resources, including cloud metadata services that may contain sensitive credentials or configuration data, leading to potential lateral movement, data leakage, or privilege escalation. This is especially critical for organizations hosting WordPress sites in cloud environments (AWS, Azure, Google Cloud) where metadata services are accessible via link-local IPs. The exposure of internal endpoints could facilitate further attacks against internal infrastructure or compromise sensitive business data. Given the medium CVSS score, the vulnerability is moderately severe but can be exploited without user interaction, increasing risk. The impact is heightened in environments with lax user permission controls or where Contributor roles are widely assigned. Additionally, organizations with compliance requirements around data protection (e.g., GDPR) must consider the risk of internal data exposure and potential regulatory consequences. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits targeting this vulnerability.

1. Immediately update the WP Import – Ultimate CSV XML Importer plugin to a patched version once available from the vendor. If no patch is available, consider disabling or removing the plugin temporarily. 2. Restrict Contributor-level and higher user permissions to trusted personnel only, minimizing the risk of malicious uploads or imports. 3. Implement network segmentation and firewall rules to restrict server access to internal metadata services and sensitive internal endpoints from the web server, reducing the impact of SSRF. 4. Use Web Application Firewalls (WAFs) with SSRF detection capabilities to monitor and block suspicious outbound HTTP requests originating from the WordPress server. 5. Conduct regular audits of user roles and permissions within WordPress to ensure least privilege principles are enforced. 6. Monitor server logs for unusual outbound HTTP requests, especially those targeting internal IP ranges or metadata service IPs. 7. Consider implementing URL validation logic or plugins that enforce strict validation after redirects, particularly for URL shorteners. 8. Educate site administrators about the risks of SSRF and the importance of controlling plugin usage and user permissions. 9. For cloud-hosted environments, use cloud provider security features to limit metadata service exposure, such as AWS IMDSv2 enforcement or metadata service access restrictions. 10. Maintain an incident response plan to quickly address any suspected exploitation attempts.