PatchSiren cyber security CVE debrief
CVE-2018-25325 Unknown Vendor CVE debrief
CVE-2018-25325 is a path traversal vulnerability in WooCommerce CSV Importer 3.3.6 that can lead to arbitrary file deletion through the delete_export_file AJAX action. The supplied description says an attacker can submit unescaped filename values with directory traversal sequences to delete files outside the intended export directory, including sensitive configuration files such as wp-config.php. The record’s narrative says any registered user can trigger the issue, while the supplied CVSS vector rates privileges as none, so the privilege requirement should be treated as inconsistent in the source material.
- Vendor
- Unknown Vendor
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-17
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-17
- Advisory updated
- 2026-05-18
Who should care
Operators of sites running WooCommerce CSV Importer 3.3.6, especially WordPress/WooCommerce administrators, plugin maintainers, and defenders responsible for authenticated AJAX actions, file integrity, and backup recovery.
Technical summary
The supplied NVD record classifies the issue as CWE-22 (path traversal). The vulnerable behavior is file deletion based on an unescaped filename parameter in an AJAX handler, allowing traversal outside the intended export directory and resulting in arbitrary file removal. The supplied CVSS v4 vector indicates network-reachable high confidentiality impact via file access, with no user interaction, but the textual description and vector disagree on whether prior privileges are required.
Defensive priority
High — remediate urgently on any exposed installation; arbitrary file deletion can break the site, remove configuration, and force recovery from backup.
Recommended defensive actions
- Inventory systems using WooCommerce CSV Importer 3.3.6 and remove or update the plugin where possible.
- Restrict access to the affected AJAX functionality to the minimum necessary set of users.
- Validate and normalize filename/path inputs server-side so deletion is constrained to the intended export directory only.
- Review web server and application logs for delete_export_file requests and unexpected file-deletion activity.
- Confirm recent backups and test restore procedures in case configuration or application files were removed.
- Apply file-permission hardening so the application cannot delete sensitive files outside its working directories.
Evidence notes
The supplied source corpus includes an NVD record marked "Received" and classifying the issue as CWE-22. The textual description states that WooCommerce CSV Importer 3.3.6 allows arbitrary file deletion through the delete_export_file AJAX action by submitting unescaped filenames with traversal sequences. The record cites lenonleite.com.br, Exploit-DB exploit 44433, and a VulnCheck advisory as references. The supplied enrichment does not indicate KEV inclusion.
Official resources
The supplied record cites lenonleite.com.br, Exploit-DB entry 44433, and a VulnCheck advisory as disclosure references. No KEV entry or ransomware-campaign attribution is provided in the supplied corpus.