CVE-2018-25325: WooCommerce CSV Importer Path Traversal

CVE-2018-25325 Overview

CVE-2018-25325 is a path traversal vulnerability [CWE-22] in Woocommerce CSV Importer 3.3.6, a WordPress plugin used to import product data into WooCommerce stores. The flaw resides in the delete_export_file AJAX action, which fails to sanitize the filename parameter supplied by authenticated users. Any registered user can submit directory traversal sequences to delete files outside the intended export directory. Attackers commonly target wp-config.php to force the WordPress site into setup mode, enabling site takeover. The vulnerability is exploitable remotely over the network without user interaction.

Critical Impact

Authenticated attackers with any role can delete arbitrary files on the WordPress server, including wp-config.php, leading to full site compromise.

Affected Products

• Woocommerce CSV Importer plugin version 3.3.6
• WordPress sites with the vulnerable plugin installed and active
• Any environment allowing user registration with the affected plugin enabled

Discovery Timeline

• 2026-05-17 - CVE-2018-25325 published to the National Vulnerability Database
• 2026-05-18 - Last updated in NVD database

Technical Details for CVE-2018-25325

Vulnerability Analysis

The vulnerability exists in the delete_export_file AJAX handler exposed by Woocommerce CSV Importer 3.3.6. The handler accepts a filename parameter from POST requests and passes it to a file deletion routine without validating or sanitizing the path. Because WordPress AJAX endpoints registered with the wp_ajax_ prefix are accessible to all authenticated users regardless of role, any registered account can invoke this action. The lack of path normalization allows traversal sequences such as ../ to escape the plugin's export directory and reference files anywhere the web server process can write.

Root Cause

The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The plugin trusts user-supplied input as a filename and constructs the deletion target by concatenating the input with a base directory path. No basename() call, no allowlist check, and no capability check (current_user_can) is performed before deletion. This combination of missing input validation and missing authorization controls converts a routine cleanup action into an arbitrary file deletion primitive.

Attack Vector

An attacker registers an account on the target WordPress site, authenticates, and sends a POST request to /wp-admin/admin-ajax.php with the action set to delete_export_file and the filename parameter containing traversal sequences such as ../../../../wp-config.php. The server resolves the path and deletes the target file. Removing wp-config.php triggers the WordPress installation wizard on the next request, allowing the attacker to point the site at an attacker-controlled database and achieve remote code execution through the theme or plugin editor. Technical details and proof-of-concept exploitation are documented in Exploit-DB #44433 and the VulnCheck Security Advisory.

Detection Methods for CVE-2018-25325

Indicators of Compromise

• POST requests to /wp-admin/admin-ajax.php containing action=delete_export_file combined with ../ or URL-encoded %2e%2e%2f sequences in the filename parameter
• Unexpected deletion of wp-config.php, .htaccess, or other root-level WordPress files
• WordPress installation wizard (/wp-admin/setup-config.php) appearing on a previously configured site
• Newly registered low-privilege accounts immediately issuing AJAX requests to plugin endpoints

Detection Strategies

• Inspect web server access logs for AJAX requests referencing delete_export_file and flag any containing path traversal patterns in request bodies
• Deploy file integrity monitoring on the WordPress root and wp-content directories to alert on deletion of configuration or core files
• Correlate authentication events from low-privilege accounts with AJAX file operation requests to identify abuse patterns

Monitoring Recommendations

• Enable verbose logging on admin-ajax.php and forward logs to a centralized SIEM for traversal pattern matching
• Alert on any process modifying or deleting wp-config.php outside of scheduled maintenance windows
• Track plugin inventory across WordPress fleets and flag installations of Woocommerce CSV Importer at or below version 3.3.6

How to Mitigate CVE-2018-25325

Immediate Actions Required

• Deactivate and remove Woocommerce CSV Importer 3.3.6 from all WordPress installations until a patched build is verified
• Disable open user registration on affected sites or restrict the default role to limit AJAX endpoint exposure
• Audit recently created accounts and remove any unauthorized registrations
• Restore wp-config.php and any other deleted files from known-good backups if compromise is suspected

Patch Information

No vendor patch is referenced in the CVE record for version 3.3.6. Administrators should consult the VulnCheck Security Advisory and the plugin's WordPress repository page for any updated releases. If no fixed version is available, replace the plugin with a maintained alternative.

Workarounds

• Apply a web application firewall rule to block POST requests to admin-ajax.php where the body contains both delete_export_file and traversal sequences (../, ..\, %2e%2e)
• Set restrictive filesystem permissions so the web server user cannot delete wp-config.php or other files outside wp-content/uploads
• Remove the plugin's PHP file or unregister the wp_ajax_delete_export_file action via a mu-plugin if the plugin must remain installed temporarily

# Example ModSecurity rule to block traversal in the vulnerable AJAX action
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
  "chain,deny,status:403,id:1002518,msg:'CVE-2018-25325 path traversal attempt'"
  SecRule REQUEST_BODY "@rx (?i)action=delete_export_file.*(\.\./|%2e%2e%2f)"