{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12389", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-28T13:13:22.814Z", "datePublished": "2025-11-04T04:27:21.061Z", "dateUpdated": "2026-04-08T17:13:19.058Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:13:19.058Z"}, "affected": [{"vendor": "sidngr", "product": "Import Export For WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.6.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Import Export For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_setting() function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's record setting."}], "title": "Import Export For WooCommerce <= 1.6.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a93e3f-54c6-4970-96fd-fab0e81f7034?source=cve"}, {"url": "https://wordpress.org/plugins/import-export-for-woocommerce/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2025-11-03T16:00:23.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-04T15:20:14.650253Z", "id": "CVE-2025-12389", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T15:20:23.287Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12389", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-04T15:20:14.650253Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-04T15:20:18.298Z"}}], "cna": {"title": "Import Export For WooCommerce <= 1.6.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "sidngr", "product": "Import Export For WooCommerce", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.6.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-03T16:00:23.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a93e3f-54c6-4970-96fd-fab0e81f7034?source=cve"}, {"url": "https://wordpress.org/plugins/import-export-for-woocommerce/"}], "descriptions": [{"lang": "en", "value": "The Import Export For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_setting() function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's record setting."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-04T04:27:21.061Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12389", "state": "PUBLISHED", "dateUpdated": "2025-11-04T15:20:23.287Z", "dateReserved": "2025-10-28T13:13:22.814Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-04T04:27:21.061Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Import Export For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_setting() function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's record setting."}], "id": "CVE-2025-12389", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-04T05:16:11.770", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/import-export-for-woocommerce/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a5a93e3f-54c6-4970-96fd-fab0e81f7034?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:55:55.082524+00:00", "value": {"mitigation_remediation": ["Apply the latest version of the Import Export For WooCommerce plugin (1.6.3 or later).", "If unable to upgrade immediately, remove or downgrade Subscriber role permissions that allow access to the plugin\u2019s settings page.", "Review and restrict the capabilities assigned to all WordPress user roles so that only administrators can modify plugin settings."], "summary": {"action": "Apply Patch", "impact": "Unauthorized configuration change"}, "threat_synthesis": {"affected_systems": "The vulnerable product is the Import Export For WooCommerce plugin by sidngr. Versions through 1.6.2 are affected; the plugin is used within WordPress installations.", "description_and_impact": "The Import Export For WooCommerce WordPress plugin contains a missing capability check in the update_setting() function in all releases up to 1.6.2. This flaw allows authenticated users with Subscriber-level permissions or higher to modify the plugin\u2019s record setting, altering the way export and import operations are handled. While it does not provide direct code execution or data exfiltration, the ability to change critical configuration values can affect the reliability and behavior of an e\u2011commerce site, potentially disrupting order processing or data exports.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1\u202f% suggests low exploitation probability, and the issue is not listed in the CISA KEV catalog. Attackers must be authenticated and have at least Subscriber privileges; the exploitation path is via the plugin\u2019s settings interface accessible to those users."}}}}, "created": "2025-11-04T16:33:14.249453+00:00", "updated": "2026-04-21T02:00:12.314955+00:00", "vendors": ["sidngr", "sidngr$PRODUCT$import_export_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}