CVE-2025-1912
Published: 26 March 2025
Summary
CVE-2025-1912 is a high-severity SSRF (CWE-918) vulnerability in Webtoffee Product Import Export For Woocommerce. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates SSRF by requiring validation of user-supplied file paths and URLs in the validate_file() function to block arbitrary server requests.
Requires timely patching of the SSRF flaw in the Product Import Export for WooCommerce plugin via updates beyond version 2.5.0.
Enforces policies controlling information flows from the web application to prevent unauthorized access to internal services via SSRF.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF allows admin-authenticated attackers to force server requests to arbitrary/internal locations, directly enabling internal network service discovery (T1046), querying sensitive data from information repositories (T1213), and modifying data on internal services (T1565).
NVD Description
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the validate_file() Function. This makes it possible for authenticated attackers,…
more
with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Deeper analysisAI
CVE-2025-1912, published on 2025-03-26, is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918 in the Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress. It affects all versions up to and including 2.5.0, specifically via the validate_file() function located in the plugin's admin/modules/import/classes/class-import-ajax.php file around line 175. The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N), indicating high confidentiality impact with changed scope.
Authenticated attackers possessing Administrator-level access or higher can exploit this SSRF flaw to compel the web server to make requests to arbitrary locations. This enables interaction with internal services inaccessible from the public internet, allowing attackers to query sensitive information or, in some cases, modify data on those services.
Advisories and patch details are available via referenced sources, including WordPress plugin changeset 3261194, which addresses the issue, and a Wordfence threat intelligence report. The plugin's developer page on WordPress.org provides further context for remediation. Security practitioners should apply the patch by updating the plugin beyond version 2.5.0.
Details
- CWE(s)