{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12732", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-04T22:08:04.891Z", "datePublished": "2025-11-12T08:28:04.060Z", "dateUpdated": "2026-04-08T16:42:24.421Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:24.421Z"}, "affected": [{"vendor": "smackcoders", "product": "WP Ultimate CSV Importer \u2013 Import CSV, XML & Excel into WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.33", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin's admin interface."}], "title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress <= 7.33 - Missing Authorization to Authenticated (Author+) Sensitive Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25687ee6-a899-4089-966b-69578afd3fb6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L42"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L72"}, {"url": "https://plugins.trac.wordpress.org/changeset/3390161/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "timeline": [{"time": "2025-11-04T22:23:13.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-11T20:07:42.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T14:40:42.860039Z", "id": "CVE-2025-12732", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T14:40:54.845Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12732", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-12T14:40:42.860039Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T14:40:50.576Z"}}], "cna": {"title": "WP Import \u2013 Ultimate CSV XML Importer for WordPress <= 7.33 - Missing Authorization to Authenticated (Author+) Sensitive Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "smackcoders", "product": "WP Ultimate CSV Importer \u2013 Import CSV, XML & Excel into WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.33"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-04T22:23:13.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-11T20:07:42.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25687ee6-a899-4089-966b-69578afd3fb6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L42"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L72"}, {"url": "https://plugins.trac.wordpress.org/changeset/3390161/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php"}], "descriptions": [{"lang": "en", "value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin's admin interface."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:24.421Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12732", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:42:24.421Z", "dateReserved": "2025-11-04T22:08:04.891Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-12T08:28:04.060Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Import \u2013 Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sensitive information due to a missing authorization check on the showsetting() function in all versions up to, and including, 7.33. This makes it possible for authenticated attackers, with Author-level access or higher, to extract sensitive information including OpenAI API keys configured through the plugin's admin interface."}], "id": "CVE-2025-12732", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-12T09:15:40.573", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L42"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php#L72"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3390161/wp-ultimate-csv-importer/trunk/controllers/SendPassword.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25687ee6-a899-4089-966b-69578afd3fb6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:41:59.348832+00:00", "value": {"mitigation_remediation": ["Update the WP Ultimate CSV Importer plugin to version 7.34 or later, where the missing authorization check has been fixed.", "If an immediate upgrade is not possible, remove the plugin or disable its settings page for users with author-level or lower privileges to block unauthenticated access to sensitive data.", "Consider disabling author-level access to the WordPress admin interface or restricting it to trusted users until a patch can be applied."], "summary": {"action": "Apply Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "Vendors: smackcoders. Product: WP Ultimate CSV Importer \u2013 Import CSV, XML & Excel into WordPress. Versions affected are all releases through 7.33 inclusive; any plugin version 7.33 or earlier is vulnerable.", "description_and_impact": "The WP Ultimate CSV Importer plugin allows an authenticated user with author-level permissions or higher to access the showsetting() endpoint without any authorization check, enabling the extraction of sensitive configuration data such as OpenAI API keys. This results in a direct loss of confidentiality for the site\u2019s sensitive credentials.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity; however, the EPSS score of less than 1% shows the likelihood of real\u2011world exploitation is currently very low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an authenticated author or higher user accessing the showsetting() function via the plugin\u2019s admin interface; the absence of an authorization check permits the attacker to retrieve sensitive configuration information."}}}}, "created": "2025-11-12T22:12:14.396314+00:00", "updated": "2026-04-22T16:45:21.461491+00:00", "vendors": ["smackcoders", "smackcoders$PRODUCT$ultimate_csv_importer", "smackcoders$PRODUCT$wp_ultimate_csv_importer", "wordpress", "wordpress$PRODUCT$wordpress"]}