CVE-2025-48144 HIGH

CVE-2025-48144: WordPress Import Export For WooCommerce plugin <= 1.6.2 - CSRF to Stored XSS vulnerability

Vendor Sidngr
Product Import Export For WooCommerce
Weakness CWE-352 · CSRF
Published May 16, 2025
Last update April 28, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Cross-Site Request Forgery (CSRF) vulnerability in sidngr Import Export For WooCommerce import-export-for-woocommerce allows Stored XSS.This issue affects Import Export For WooCommerce: from n/a through <= 1.6.2.

Explanation of Vulnerability in Simple Terms

02Summary

Import Export For WooCommerce versions up to 1.6.2 contain a cross-site request forgery (CSRF) vulnerability. An attacker can craft a malicious webpage that, when visited by a logged-in site administrator, performs unwanted actions on the site without their knowledge. The vulnerability affects import and export functionality and requires the victim to visit a malicious link.

What an attacker can do

03Attacker Capabilities

Perform unwanted import or export actions on behalf of a logged-in administrator without their consent.

Potential impact on your site

04Site Impact

An attacker could trigger unintended data imports, exports, or modifications to WooCommerce settings via a tricked admin.

Conditions required to exploit

05Prerequisites

Administrator must visit a malicious webpage while logged into WordPress.

Key dates

06Disclosure timeline

May 16, 2025 CVE published
April 28, 2026 Record updated