Cyber Resilience

CVE-2025-1912

High

Published: 26 March 2025

Published
26 March 2025
Modified
09 July 2025
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0007 22.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1912 is a high-severity SSRF (CWE-918) vulnerability in Webtoffee Product Import Export For Woocommerce. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked at the 22.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-1912, published on 2025-03-26, is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918 in the Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress. It affects all versions up to and including 2.5.0, specifically via the validate_file() function located in the plugin's admin/modules/import/classes/class-import-ajax.php file around line 175. The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N), indicating high confidentiality impact with changed scope.

Authenticated attackers possessing Administrator-level access or higher can exploit this SSRF flaw to compel the web server to make requests to arbitrary locations. This enables interaction with internal services inaccessible from the public internet, allowing attackers to query sensitive information or, in some cases, modify data on those services.

Advisories and patch details are available via referenced sources, including WordPress plugin changeset 3261194, which addresses the issue, and a Wordfence threat intelligence report. The plugin's developer page on WordPress.org provides further context for remediation. Security practitioners should apply the patch by updating the plugin beyond version 2.5.0.

EU & UK References

Vulnerability details

The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the validate_file() Function. This makes it possible for authenticated attackers,…

more

with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
T1565 Data Manipulation Impact
Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

SSRF allows admin-authenticated attackers to force server requests to arbitrary/internal locations, directly enabling internal network service discovery (T1046), querying sensitive data from information repositories (T1213), and modifying data on internal services (T1565).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1913Same product: Webtoffee Product Import Export For Woocommerce
CVE-2024-13923Same product class: WordPress / CMS plugin
CVE-2024-13921Same product class: WordPress / CMS plugin
CVE-2025-1970Same vendor: Webtoffee
CVE-2024-13904Same product class: WordPress / CMS plugin
CVE-2025-1661Same product class: WordPress / CMS plugin
CVE-2024-13792Same product class: WordPress / CMS plugin
CVE-2024-13359Same product class: WordPress / CMS plugin
CVE-2025-22786Same product class: WordPress / CMS plugin
CVE-2025-7341Same product class: WordPress / CMS plugin

Affected Assets

webtoffee
product import export for woocommerce
≤ 2.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SSRF by requiring validation of user-supplied file paths and URLs in the validate_file() function to block arbitrary server requests.

prevent

Requires timely patching of the SSRF flaw in the Product Import Export for WooCommerce plugin via updates beyond version 2.5.0.

prevent

Enforces policies controlling information flows from the web application to prevent unauthorized access to internal services via SSRF.

References