The WP Import – Ultimate CSV XML Importer plugin for WordPress contains a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2025-14627. This vulnerability exists in all versions up to and including 7.35 due to insufficient validation of URLs after redirect resolution. Specifically, the plugin uses the `upload_function()` method to process URLs, initially validating them with `wp_http_validate_url()`. However, when a Bitly shortlink is detected, the plugin calls `unshorten_bitly_url()` to follow the redirect chain to the final destination URL without reapplying validation. This oversight allows an authenticated attacker with Contributor-level or higher privileges to supply a Bitly shortlink that resolves to internal network addresses or cloud metadata services. Consequently, the server can be coerced into making HTTP requests to internal endpoints such as localhost, private IP ranges, or cloud provider metadata IPs (e.g., 169.254.169.254), potentially leaking sensitive information or enabling further attacks. The vulnerability has a CVSS 3.1 base score of 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity. No public exploits have been reported yet, but the flaw poses a significant risk to WordPress sites using this plugin, especially in environments where internal services or cloud metadata are accessible.

The SSRF vulnerability allows attackers with minimal privileges (Contributor-level) to make the WordPress server perform arbitrary HTTP requests to internal or protected network resources. This can lead to unauthorized access to sensitive internal services, including localhost interfaces, private IP ranges, and cloud metadata services that often contain critical credentials or configuration data. Exposure of cloud metadata can result in compromise of cloud instance credentials, enabling attackers to escalate privileges or move laterally within cloud environments. Additionally, internal services not intended to be exposed externally may be enumerated or attacked, increasing the risk of further exploitation. Although the vulnerability does not directly allow remote code execution or denial of service, the confidentiality and integrity of internal data are at risk. Organizations running WordPress sites with this plugin may face data breaches, unauthorized access, and potential cloud environment compromise if exploited.

To mitigate this vulnerability, organizations should immediately update the WP Import – Ultimate CSV XML Importer plugin to a patched version once released by the vendor. Until a patch is available, administrators should restrict Contributor-level user permissions to trusted individuals only, minimizing the risk of exploitation. Implement network-level controls such as firewall rules or web application firewall (WAF) policies to block outbound HTTP requests from the WordPress server to internal IP ranges and cloud metadata IP addresses (e.g., 169.254.169.254). Additionally, disable or restrict the plugin’s import functionality if not essential. Monitoring and logging outbound HTTP requests from the server can help detect suspicious SSRF attempts. Developers should ensure that URL validation is performed after any redirect resolution, especially when handling shortlinks or URL unshortening, to prevent similar SSRF issues.