CNNVD-202511-012 Information
CNNVD ID
CNNVD-202511-012
Related CVE
- CNNVD Published: 2025-11-01
Description (Chinese)
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Import WP – Export and Import CSV and XML files to WordPress 2.14.16及之前版本存在安全漏洞,该漏洞源于REST API端点处理file_local操作时未正确验证attach_file函数中的绝对文件路径,可能导致具有管理员权限的攻击者通过local_url参数读取服务器上的任意文件。
Description (English)
WordPress and WordPressplugin are products of WordPress. WordPress is a blog platform developed in the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL-based servers. WordPress plugin is an application plugin. WordPress plugin Import WP – Export and Import CSV and XML files to WordPress 2.14.16 and previous versions contain a security loophole resulting from the fact that the REST API endpoint processing file file local did not correctly validate the absolute file path in the attach file function, which could result in an attacker with administrator privileges reading any files on the server through local url parameters.
Hazard Level
High
Vulnerability Type
其他
Affected Vendor
WordPress
Published
2025-11-01
Last Modified
2026-02-24
References
https://cwe.mitre.org/data/definitions/36.html https://github.com/importwp/importwp/commit/94cc524aa0c81be6463a9e8d154b00220e34709c https://owasp.org/www-community/attacks/Path_Traversal https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Filesystem/Filesystem.php#L212 https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Filesystem/Filesystem.php#L56 https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Importer/ImporterManager.php#L435 https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Rest/RestManager.php#L1079 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3387749%40jc-importer&new=3387749%40jc-importer&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/f10636ea-06aa-4186-a891-ed4bb0800c41?source=cve https://access.redhat.com/security/cve/cve-2025-12137
Patch
https://wordpress.org/plugins/jc-importer/
Share on: