CVE-2025-1769 identifies a directory traversal vulnerability (CWE-22) in the Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress, specifically in the download_file() function. This flaw exists in all versions up to and including 2.5.0. The vulnerability allows an authenticated attacker with Administrator-level access or higher to manipulate the pathname parameter to traverse directories outside the intended restricted directory. By exploiting this, the attacker can read arbitrary files on the web server, including sensitive log files that may contain credentials, configuration details, or other confidential information. The vulnerability requires no user interaction beyond authentication and does not allow modification or deletion of files, limiting its impact to confidentiality breaches. The CVSS 3.1 base score of 4.9 reflects a medium severity due to the requirement for high privileges and network attack vector. No public exploits have been reported yet, but the vulnerability poses a risk to any WordPress site using this plugin, especially those with multiple administrators or less stringent access controls. The flaw arises from improper validation and sanitization of file path inputs, allowing directory traversal beyond the plugin’s intended file access scope.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored on the server, such as log files that may contain user credentials, API keys, or other confidential data. This can lead to further attacks if attackers gain insight into system configurations or user activities. Since exploitation requires Administrator-level access, the risk is somewhat mitigated by existing access controls; however, insider threats or compromised administrator accounts could leverage this vulnerability to escalate data exposure. The vulnerability does not allow modification or deletion of files, so integrity and availability impacts are minimal. Organizations relying on this plugin for WooCommerce product import/export functionality may face data confidentiality risks, potentially affecting customer trust and compliance with data protection regulations. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

To mitigate this vulnerability, organizations should immediately update the Product Import Export for WooCommerce – Import Export Product CSV Suite plugin to a patched version once available. Until a patch is released, restrict Administrator-level access to trusted personnel only and monitor for suspicious activity related to file downloads. Implement web application firewall (WAF) rules to detect and block directory traversal patterns in requests targeting the download_file() function. Review and harden file permission settings on the server to limit access to sensitive log files and other critical data. Conduct regular audits of administrator accounts to ensure no unauthorized users have elevated privileges. Additionally, consider isolating the WordPress environment or using containerization to limit the impact of potential exploits. Enable detailed logging and alerting for file access anomalies to detect exploitation attempts early.