What the vulnerability does
01Description
The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.14.16. This is due to the plugin's REST API endpoint accepting arbitrary absolute file paths without proper validation in the 'attach_file()' function when handling 'file_local' actions. This makes it possible for authenticated attackers, with administrator-level access and above, to read arbitrary files on the server's filesystem, including sensitive configuration files and system files via the 'local_url' parameter.
Explanation of Vulnerability in Simple Terms
02Summary
The Import WP plugin for WordPress contains a flaw that allows high-privilege users to read sensitive data they should not access. An administrator or editor with the right permissions can view confidential information through the plugin's import or export functionality. This requires authenticated access and does not affect data integrity or site availability.
What an attacker can do
03Attacker Capabilities
Read sensitive data accessible through the plugin's import/export features.
Potential impact on your site
04Site Impact
A compromised admin account could expose confidential data via the plugin without modifying or deleting it.
Conditions required to exploit
05Prerequisites
Attacker must have high-level WordPress privileges (administrator or equivalent role).
Key dates
06Disclosure timeline
November 1, 2025
CVE published
April 8, 2026
Record updated