Refine your search
4 vulnerabilities found for Product Import Export for WooCommerce – Import Export Product CSV Suite by webtoffee
CVE-2025-1913 (GCVE-0-2025-1913)
Vulnerability from cvelistv5
Published
2025-03-26 11:55
Modified
2026-04-08 17:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.5.0 via deserialization of untrusted input from the 'form_data' parameter This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webtoffee | Product Import Export for WooCommerce – Import Export Product CSV Suite |
Version: 0 ≤ 2.5.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1913",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T13:13:25.397332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T13:13:37.240Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Product Import Export for WooCommerce \u2013 Import Export Product CSV Suite",
"vendor": "webtoffee",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hay Mizrachi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Product Import Export for WooCommerce \u2013 Import Export Product CSV Suite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.5.0 via deserialization of untrusted input from the \u0027form_data\u0027 parameter This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:25:45.674Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d4464bb1-273a-42c4-a7ec-8e123d286963?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/product-import-export-for-woo/trunk/admin/modules/import/classes/class-import-ajax.php"
},
{
"url": "https://wordpress.org/plugins/product-import-export-for-woo/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3261194/"
},
{
"url": "https://github.com/S0haib518-KSA/CVE-2025-1913-PoC/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-25T23:23:13.000Z",
"value": "Disclosed"
}
],
"title": "Product Import Export for WooCommerce \u003c= 2.5.0 - Authenticated (Admin+) PHP Object Injection via form_data Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-1913",
"datePublished": "2025-03-26T11:55:53.001Z",
"dateReserved": "2025-03-03T23:08:06.268Z",
"dateUpdated": "2026-04-08T17:25:45.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1911 (GCVE-0-2025-1911)
Vulnerability from cvelistv5
Published
2025-03-26 11:55
Modified
2026-04-08 17:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-73 - External Control of File Name or Path
Summary
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webtoffee | Product Import Export for WooCommerce – Import Export Product CSV Suite |
Version: 0 ≤ 2.5.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1911",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T13:14:04.436225Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T13:18:52.969Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Product Import Export for WooCommerce \u2013 Import Export Product CSV Suite",
"vendor": "webtoffee",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hay Mizrachi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Product Import Export for WooCommerce \u2013 Import Export Product CSV Suite plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:25:17.118Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d222ef6d-cdec-482e-92ba-65eeabbcdeae?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/product-import-export-for-woo/trunk/admin/modules/history/history.php#L248"
},
{
"url": "https://wordpress.org/plugins/product-import-export-for-woo/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3261194/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-25T23:22:17.000Z",
"value": "Disclosed"
}
],
"title": "Product Import Export for WooCommerce \u003c= 2.5.0 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-1911",
"datePublished": "2025-03-26T11:55:52.549Z",
"dateReserved": "2025-03-03T22:18:14.606Z",
"dateUpdated": "2026-04-08T17:25:17.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1912 (GCVE-0-2025-1912)
Vulnerability from cvelistv5
Published
2025-03-26 11:55
Modified
2026-04-08 16:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the validate_file() Function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webtoffee | Product Import Export for WooCommerce – Import Export Product CSV Suite |
Version: 0 ≤ 2.5.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1912",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T13:19:36.691095Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T13:19:50.402Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Product Import Export for WooCommerce \u2013 Import Export Product CSV Suite",
"vendor": "webtoffee",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hay Mizrachi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Product Import Export for WooCommerce \u2013 Import Export Product CSV Suite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the validate_file() Function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:48:23.164Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/406b52dc-3d36-4b03-a932-34f456395979?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/product-import-export-for-woo/trunk/admin/modules/import/classes/class-import-ajax.php#L175"
},
{
"url": "https://wordpress.org/plugins/product-import-export-for-woo/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3261194/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-25T23:22:36.000Z",
"value": "Disclosed"
}
],
"title": "Product Import Export for WooCommerce \u003c= 2.5.0 - Authenticated (Administrator+) Server-Side Request Forgery via validate_file Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-1912",
"datePublished": "2025-03-26T11:55:51.801Z",
"dateReserved": "2025-03-03T22:52:35.747Z",
"dateUpdated": "2026-04-08T16:48:23.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1769 (GCVE-0-2025-1769)
Vulnerability from cvelistv5
Published
2025-03-26 11:22
Modified
2026-04-08 16:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.0 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webtoffee | Product Import Export for WooCommerce – Import Export Product CSV Suite |
Version: 0 ≤ 2.5.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1769",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T13:34:13.937851Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T13:34:26.390Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Product Import Export for WooCommerce \u2013 Import Export Product CSV Suite",
"vendor": "webtoffee",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hay Mizrachi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Product Import Export for WooCommerce \u2013 Import Export Product CSV Suite plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.0 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:51:37.824Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4df60fbe-4475-4cbf-b497-a9c5251bc91f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/product-import-export-for-woo/trunk/admin/modules/history/history.php#L753"
},
{
"url": "https://wordpress.org/plugins/product-import-export-for-woo/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3261194/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-25T23:20:01.000Z",
"value": "Disclosed"
}
],
"title": "Product Import Export for WooCommerce \u003c= 2.5.0 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Read via download_file Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-1769",
"datePublished": "2025-03-26T11:22:09.346Z",
"dateReserved": "2025-02-27T23:32:47.829Z",
"dateUpdated": "2026-04-08T16:51:37.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}