CVE-2025-12732: The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of sen
mediumvulnerabilityLLM-Specific
security
Summary
The WP Import – Ultimate CSV XML Importer plugin for WordPress has a security flaw in versions up to 7.33 where the showsetting() function is missing an authorization check (a verification that the person accessing it has permission). This allows authenticated attackers with Author-level access or higher to extract sensitive information, including OpenAI API keys (secret credentials used to access the OpenAI service) that are configured through the plugin's admin interface.
Vulnerability Details
CVSS Score
4.3(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
Classification
Attack Type
PII Leakage
Attack SophisticationTrivial
Impact (CIA+S)
confidentiality
AI Component TargetedAPI
Affected Vendors
OpenAI
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-12732
First tracked: February 15, 2026 at 08:49 PM
Classified by LLM (prompt v3) · confidence: 85%