CVE-2025-12137

MEDIUM

Import WP <= 2.14.16 - Authenticated Arbitrary File Read via attach_file()

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-12137. PoCs published by jFriedli.

AI-analyzed exploit summary This PoC demonstrates a local file disclosure vulnerability in a WordPress plugin by exploiting its REST API to attach and preview arbitrary local files (e.g., /etc/passwd). The exploit chains API calls to create an importer, attach a local file, process it as a CSV, and preview its contents.

Description

The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.14.16. This is due to the plugin's REST API endpoint accepting arbitrary absolute file paths without proper validation in the 'attach_file()' function when handling 'file_local' actions. This makes it possible for authenticated attackers, with administrator-level access and above, to read arbitrary files on the server's filesystem, including sensitive configuration files and system files via the 'local_url' parameter.

Exploits (1)

nomisec WORKING POC

by jFriedli · poc

https://github.com/jFriedli/CVE-2025-12137

View Code ZIP pw:eip

This PoC demonstrates a local file disclosure vulnerability in a WordPress plugin by exploiting its REST API to attach and preview arbitrary local files (e.g., /etc/passwd). The exploit chains API calls to create an importer, attach a local file, process it as a CSV, and preview its contents.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: WordPress plugin (likely 'Import WP' or similar)

Auth required

Prerequisites: WordPress admin access or valid nonce · Import WP plugin installed

MITRE ATT&CK