CVE-2025-1970
Published: 22 March 2025
Summary
CVE-2025-1970 is a high-severity SSRF (CWE-918) vulnerability in Webtoffee Import Export Wordpress Users. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the SSRF by requiring validation of information inputs like those processed by the vulnerable validate_file() function to prevent arbitrary web requests.
Monitors and controls communications at system boundaries to block or detect unauthorized outbound requests from the web application to internal services.
Enforces information flow control policies to restrict server-side requests to arbitrary or internal locations, preventing exploitation of the SSRF vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability in public-facing WordPress plugin directly enables exploitation of the application (T1190) to query/modify internal backend resources and bypass network restrictions.
NVD Description
The Export and Import Users and Customers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.2 via the validate_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above,…
more
to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Deeper analysisAI
CVE-2025-1970 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, in the Export and Import Users and Customers plugin for WordPress. It affects all versions up to and including 2.6.2, specifically via the validate_file() function in the plugin's admin/modules/import/classes/class-import-ajax.php file at line 175. Published on 2025-03-22, the flaw has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N), reflecting high severity due to network accessibility, low complexity, high privileges required, no user interaction, changed scope, high confidentiality impact, low integrity impact, and no availability impact.
Authenticated attackers possessing Administrator-level access or higher can exploit this vulnerability to originate web requests from the web application to arbitrary locations. This enables querying and modifying information from internal services that are not externally accessible, potentially bypassing network restrictions and exposing sensitive backend resources.
Advisories and references, including Wordfence's threat intelligence report, point to mitigation through patching, with WordPress plugin trac changeset 3259688 addressing the issue. Security practitioners should review the plugin's developer documentation and update affected installations promptly.
Details
- CWE(s)