The Import WP – Export and Import CSV and XML files to WordPress plugin is susceptible to an Arbitrary File Read vulnerability due to improper validation of file paths in its REST API endpoint. This flaw arises in the 'attach_file()' function, where the 'file_local' actions permit authenticated users, specifically those with administrator-level access, to access and read files from the server's filesystem. The exploitation of this vulnerability could lead to exposure of sensitive configuration and system files, posing significant security risks to affected installations.
https://securityvulnerability.io/vulner ... 2025-12137