A Server-Side Request Forgery 2026 WordPress Security Threats report (SSRF) vulnerability has been discovered in the WP Import – Ultimate CSV XML Importer plugin for WordPress. Tracked as CVE-2025-14627 with a CVSS score of 6.4 (Medium), this flaw affects all versions up to and including 7.35 and allows attackers to make requests from the server to internal or external resources. The plugin, which has approximately 10,000 active installations, is widely used by site owners who need to import large datasets from CSV and XML files.
WP Import simplifies the process of migrating content into WordPress from external sources. Users can upload CSV or XML files containing posts, pages, custom post types, users, and taxonomy terms, and the plugin maps each column to the corresponding WordPress field. It supports scheduled imports, field customization, and integration with various third-party tools. Given the volume of data that passes through this plugin, any security flaw in its import logic carries significant risk.
The vulnerability was discovered during a routine security audit of plugins that handle external data ingestion. SSRF flaws in import plugins are particularly concerning because import functionality typically requires making HTTP requests to fetch remote resources. When URL validation is missing or insufficient, attackers can redirect those requests to internal network resources that should never be accessible from outside the server.
CVE-2026-4095 WP Import SSRF vulnerability: Understanding SSRF Vulnerabilities
Server-Side Request Forgery is a type of attack where an attacker abuses a server-side feature to make HTTP requests to arbitrary destinations. Unlike client-side attacks that target a user’s browser, SSRF uses the server itself as the attack vector. This means the requests originate from a trusted IP address, allowing the attacker to bypass network access controls that would normally block external traffic.
In the context of WP Import, the plugin fails to properly validate URLs passed to its import functionality. An attacker with access to the import feature can craft requests that make the server send HTTP requests to arbitrary destinations. This includes internal network resources that would otherwise be inaccessible from outside the server, such as cloud metadata services, internal APIs, database management interfaces, and other services running on the same network.
The specific mechanism involves the plugin accepting a URL parameter for remote file imports without checking whether the target is an allowed external resource or an internal address. Attackers can supply URLs pointing to internal IP ranges including 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and the critical cloud metadata address 169.254.169.254. The server then fetches these resources and returns the data in the import response, effectively leaking internal information to the attacker.
CVE-2026-4095 WP Import SSRF vulnerability: What an Attacker Can Access
SSRF vulnerabilities are particularly dangerous in cloud-hosted WordPress environments. An attacker exploiting SSRF in WP Import can perform a range of malicious activities that extend far beyond the WordPress installation itself.
Internal network scanning is one of the primary uses of SSRF. The attacker can probe internal IP addresses to discover other services running on the same network, including database servers, caching layers, monitoring tools, and other web applications. Each discovered service becomes a potential additional attack surface. In shared hosting environments, this could expose other customers’ sites and data.
Cloud provider metadata endpoints are a high-value target for SSRF attacks. On AWS, the metadata service at http://169.254.169.254/ can return IAM role credentials, instance identity documents, and user data scripts. Similar endpoints exist for Google Cloud, Azure, and DigitalOcean. If the WordPress server runs on a cloud instance with an attached IAM role, the attacker can retrieve temporary credentials and use them to access other cloud services like S3 buckets, databases, or even other compute instances.
Internal applications and admin panels are also at risk. Many WordPress sites run alongside other internal tools such as phpMyAdmin, adminer, monitoring dashboards, internal wikis, and CI/CD systems. If these tools rely on network-level access control instead of strong authentication, an SSRF attack can bypass those controls completely. The attacker interacts with these internal services as if they were on the local network.
Firewall rule bypass is another critical concern. Organizations invest heavily in perimeter firewalls that block external access to internal services. SSRF attacks circumvent these firewalls because the requests originate from within the trusted network. An attacker targeting a database server on port 3306 would normally be blocked by the firewall, but an SSRF request from the WordPress server to 10.0.0.5:3306 bypasses that restriction entirely.
Impact and CVSS Breakdown
The CVSS score of 6.4 reflects the medium severity of this vulnerability, but the actual impact depends heavily on the hosting environment. In minimally-segmented environments where WordPress shares a network with other critical services, the effective severity approaches critical levels.
- CVSS Score: 6.4 (Medium)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed (the vulnerability allows access to resources beyond the vulnerable component)
- Confidentiality Impact: Low (limited to response data from targeted endpoints)
- Integrity Impact: Low (limited to data returned in responses)
- Availability Impact: None
- Affected Versions: WP Import up to and including version 7.35
The “Scope: Changed” designation in the CVSS vector is important. It means the vulnerable component (WP Import) is not the only system at risk. The SSRF can reach and impact other systems on the network, which worsens the overall severity. In environments where cloud metadata services are accessible, the confidentiality and integrity impacts would be significantly higher than the base CVSS suggests.
Detecting SSRF Exploitation Attempts
Detecting SSRF attacks requires monitoring outbound HTTP requests from your WordPress server. Normal WP Import traffic consists of requests to known CSV and XML file hosts. SSRF exploitation generates requests to unexpected internal IP addresses or unusual ports, which is a strong indicator of malicious activity.
Server access logs and firewall logs can reveal SSRF attempts. Look for HTTP requests from your WordPress server to internal IP ranges, requests to cloud metadata endpoints, requests to unusual ports, and repeated connection attempts to multiple internal addresses in sequence. Any of these patterns warrants immediate investigation.
Web application firewalls with virtual patching capabilities can block SSRF exploitation even before you update the vulnerable plugin. Trusti Security’s Firewall module includes SSRF detection rules that inspect URL parameters for internal IP addresses and cloud metadata endpoints, blocking requests before they reach the vulnerable code path. This provides immediate protection while you schedule the plugin update.
SSRF Protection in WordPress and Beyond
WordPress site owners can mitigate SSRF risks through a combination of plugin-level fixes and infrastructure hardening. The most immediate step is updating WP Import to the latest version, which includes proper URL validation that rejects internal addresses and cloud metadata endpoints.
Server-level network segmentation provides the best defense against SSRF exploitation. If the WordPress server cannot reach internal services in the first place, even a successfully exploited SSRF vulnerability has nowhere to go. Use security groups, network ACLs, and firewall rules to restrict outbound traffic from your WordPress server to only the specific external services it needs to function.
For cloud-hosted environments, always use the IMDSv2 (Instance Metadata Service Version 2) which requires session-based tokens and prevents simple SSRF-based metadata retrieval. On AWS, this means ensuring that the metadata response hop limit is set appropriately and that IMDSv1 is disabled entirely. Similar protections exist on Google Cloud and Azure.
Restricting outbound HTTP requests from the server is another effective measure. WordPress does not need to make arbitrary outbound requests to every destination on the internet. Use a proxy server with a whitelist of allowed domains, or configure firewall rules that only permit traffic to known update servers, CDN endpoints, and API services. Trusti Security’s Firewall module can help detect and block suspicious outbound requests at the application level.
WP Import is available on WordPress.org at wordpress.org/plugins/wp-import-csv-xml/. If you are using version 7.35 or earlier, update to the latest version as soon as possible. Regular vulnerability scanning with Trusti Security will detect outdated plugins and known vulnerabilities before attackers can exploit them.