CVE-2025-54029 HIGH

CVE-2025-54029: WordPress WooCommerce csv import export Plugin <= 2.0.6 - Arbitrary File Deletion Vulnerability

Vendor Extendons
Product WooCommerce csv import export
Weakness CWE-22 · Path traversal
Published August 28, 2025
Last update April 28, 2026

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in extendons WooCommerce csv import export extendons-eo-wooimport-export allows Path Traversal.This issue affects WooCommerce csv import export: from n/a through <= 2.0.6.

Explanation of Vulnerability in Simple Terms

02Summary

The WooCommerce CSV Import Export plugin through version 2.0.6 contains a path traversal vulnerability that allows authenticated users to cause a denial of service by manipulating file paths during CSV import operations. An attacker with low-level access can disrupt site availability by targeting critical files. The vulnerability affects the entire site due to scope change.

What an attacker can do

03Attacker Capabilities

Make the site unavailable or unresponsive by triggering file operations on restricted paths.

Potential impact on your site

04Site Impact

Site downtime or performance degradation if an authenticated user exploits the path traversal during CSV import.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account (e.g., subscriber or contributor role) on the site.

Key dates

06Disclosure timeline

August 28, 2025 CVE published
April 28, 2026 Record updated