Refine your search
3 vulnerabilities found for by smackcoders
CVE-2025-13606 (GCVE-0-2025-13606)
Vulnerability from cvelistv5
Published
2025-12-02 04:37
Modified
2025-12-02 14:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the `parseData` function. This makes it possible for unauthenticated attackers to export sensitive information including user data, email addresses, password hashes, and WooCommerce data to an attacker-controlled file path on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| smackcoders | Export All Posts, Products, Orders, Refunds & Users |
Version: * ≤ 2.19 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13606",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-02T14:16:54.020245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T14:21:30.523Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Export All Posts, Products, Orders, Refunds \u0026 Users",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "2.19",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "lucky_buddy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Export All Posts, Products, Orders, Refunds \u0026 Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the `parseData` function. This makes it possible for unauthenticated attackers to export sensitive information including user data, email addresses, password hashes, and WooCommerce data to an attacker-controlled file path on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-02T04:37:14.256Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3511e110-d091-447d-87c0-25d33900bc30?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3405694/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-14T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-11-24T15:06:28.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-01T16:23:28.000+00:00",
"value": "Disclosed"
}
],
"title": "Export All Posts, Products, Orders, Refunds \u0026 Users \u003c= 2.19 - Cross-Site Request Forgery to Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13606",
"datePublished": "2025-12-02T04:37:14.256Z",
"dateReserved": "2025-11-24T14:50:42.137Z",
"dateUpdated": "2025-12-02T14:21:30.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13145 (GCVE-0-2025-13145)
Vulnerability from cvelistv5
Published
2025-11-19 05:45
Modified
2025-11-19 20:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| smackcoders | WP Import – Ultimate CSV XML Importer for WordPress |
Version: * ≤ 7.33.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T20:27:05.837164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:27:18.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Import \u2013 Ultimate CSV XML Importer for WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.33.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dieu Link"
},
{
"lang": "en",
"type": "finder",
"value": "GCSC Vietnam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T05:45:13.217Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e441699-4c78-4277-8ac1-f33b810e78cb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/SingleImportExport.php#L116"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3397842/wp-ultimate-csv-importer/trunk/SingleImportExport.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-13T19:22:27.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-18T17:44:17.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress \u003c= 7.33.1 - Authenticated (Administrator+) PHP Object Injection via CSV Import"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13145",
"datePublished": "2025-11-19T05:45:13.217Z",
"dateReserved": "2025-11-13T19:07:19.403Z",
"dateUpdated": "2025-11-19T20:27:18.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12732 (GCVE-0-2025-12732)
Vulnerability from cvelistv5
Published
2025-11-12 08:28
Modified
2025-11-12 14:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin's admin interface.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| smackcoders | WP Import – Ultimate CSV XML Importer for WordPress |
Version: * ≤ 7.33 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12732",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-12T14:40:42.860039Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T14:40:54.845Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Import \u2013 Ultimate CSV XML Importer for WordPress",
"vendor": "smackcoders",
"versions": [
{
"lessThanOrEqual": "7.33",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin\u0027s admin interface."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-12T08:28:04.060Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25687ee6-a899-4089-966b-69578afd3fb6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L42"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L72"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3390161/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-04T22:23:13.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-11T20:07:42.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress \u003c= 7.33 - Missing Authorization to Authenticated (Author+) Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12732",
"datePublished": "2025-11-12T08:28:04.060Z",
"dateReserved": "2025-11-04T22:08:04.891Z",
"dateUpdated": "2025-11-12T14:40:54.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}