CVE-2025-14627 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, found in the WP Import – Ultimate CSV XML Importer plugin for WordPress, developed by smackcoders. The vulnerability exists in all versions up to and including 7.35 due to insufficient validation of URLs after Bitly shortlink redirection within the plugin's upload_function() method. Initially, the plugin uses WordPress's wp_http_validate_url() to validate the user-supplied URL, but if the URL is a Bitly shortlink, the plugin follows the redirect chain using the unshorten_bitly_url() function without re-validating the final resolved URL. This oversight allows an authenticated attacker with Contributor-level permissions or higher to craft malicious CSV or XML imports containing URLs that resolve to internal network addresses, including localhost, private IP ranges, or cloud metadata endpoints such as 169.254.169.254. By exploiting this, attackers can coerce the server to make HTTP requests to internal services, potentially exposing sensitive information or enabling further attacks like internal network reconnaissance or privilege escalation. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with attack vector being network, low attack complexity, requiring privileges (Contributor or higher), no user interaction, and scope change due to potential access to internal resources. No public exploits have been reported yet, but the risk remains significant due to the widespread use of WordPress and this plugin. The vulnerability highlights the importance of validating URLs after any redirection, especially when dealing with user-supplied input that can influence server-side requests.

For European organizations, this SSRF vulnerability poses a risk of unauthorized internal network access and data exposure. Attackers with low-level authenticated access (Contributor or higher) can exploit the vulnerability to access sensitive internal services, including cloud metadata endpoints that may contain credentials or configuration data, potentially leading to further compromise. Organizations relying on WordPress sites with this plugin installed are at risk of internal reconnaissance, data leakage, and lateral movement within their networks. This is particularly critical for organizations hosting sensitive data or critical infrastructure behind firewalls, as SSRF can bypass perimeter defenses by leveraging the vulnerable server as a proxy. The impact extends to confidentiality and integrity of internal systems, though availability impact is minimal. Given the medium CVSS score, the threat is moderate but should not be underestimated, especially in environments where contributor accounts are common or where internal services are exposed via cloud metadata endpoints. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for targeted attacks.

1. Apply patches or updates from smackcoders as soon as they become available to fix the URL validation logic after Bitly redirection. 2. Until a patch is released, restrict Contributor-level user capabilities to prevent uploading or importing CSV/XML files or limit plugin usage to trusted users only. 3. Implement network-level controls such as firewall rules or web application firewall (WAF) policies to block outbound HTTP requests from the WordPress server to internal IP ranges (e.g., 127.0.0.1, 10.0.0.0/8, 192.168.0.0/16) and cloud metadata IPs (169.254.169.254). 4. Monitor logs for unusual outbound HTTP requests originating from the WordPress server, especially to internal or cloud metadata endpoints. 5. Conduct regular audits of user roles and permissions to ensure minimal necessary privileges are assigned. 6. Consider disabling or restricting the use of URL shorteners like Bitly within the plugin or sanitizing inputs to prevent redirection abuse. 7. Employ security plugins or tools that detect SSRF attempts or anomalous server-side requests. 8. Educate site administrators and contributors about the risks of SSRF and safe handling of import files.