WooCommerce CSV Importer Path Traversal Allows Arbitrary File Deletion
The National Vulnerability Database reports a critical path traversal flaw, CVE-2018-25325, in WooCommerce CSV Importer version 3.3.6. This vulnerability allows any registered user to delete arbitrary files on the server. The flaw stems from insufficient sanitization of filenames submitted via the delete_export_file AJAX action.
Attackers can exploit this by crafting POST requests containing directory traversal sequences (e.g., ../) within the filename parameter. This enables them to navigate outside the intended export directory and target sensitive files such as wp-config.php for deletion. The National Vulnerability Database assigns this a CVSS score of 7.5 (HIGH), underscoring the severity of potential data loss and system compromise.
This isn’t just about deleting a few files; it’s about system integrity. Deleting wp-config.php effectively bricks a WordPress site and could lead to a full site takeover if attackers combine this with other vulnerabilities. For defenders, the implications are clear: ensure all plugins are up-to-date and apply the principle of least privilege rigorously. If a user can register and exploit this, your attack surface just widened significantly.
What This Means For You
- If your organization uses WooCommerce with the CSV Importer plugin, immediately verify your installed version. While this CVE is from 2018, unpatched instances are still vulnerable. Ensure all WordPress installations and plugins are fully updated to mitigate this and similar path traversal risks. Audit user permissions on your e-commerce platforms to ensure no unnecessary access is granted.
Related ATT&CK Techniques
🛡️ Detection Rules
1 rule · 6 SIEM formats1 detection rule auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Exploitation Attempt — CVE-2018-25325
title: Exploitation Attempt — CVE-2018-25325
id: scw-2026-05-17-evt-1
status: experimental
level: high
description: |
Monitor for exploitation attempts targeting CVE-2018-25325. Patch immediately if running affected CVE-2018-25325 products.
author: SCW Feed Engine (auto-generated)
date: 2026-05-17
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2018-25325/
tags:
- attack.general
- attack.vulnerability
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'CVE-2018-25325'
sc-status:
- 200
- 500
condition: selection
falsepositives:
- Legitimate activity from CVE-2018-25325
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2018-25325 | Path Traversal | Woocommerce CSV Importer 3.3.6 |
| CVE-2018-25325 | Path Traversal | delete_export_file AJAX action |
| CVE-2018-25325 | Path Traversal | POST requests with directory traversal sequences in filename parameter |
| CVE-2018-25325 | Path Traversal | Arbitrary file deletion (e.g., wp-config.php) |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 17, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-20240 — Denial of Service
CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...
Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data
CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...