CVE-2025-62112

2025-12-30 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 30, 2025 - 17:15 nvd
N/A

Tags

WordPress PHP CSRF

Description

Cross-Site Request Forgery (CSRF) vulnerability in Merv Barrett Import into Easy Property Listings easy-property-listings-xml-csv-import allows Cross Site Request Forgery.This issue affects Import into Easy Property Listings: from n/a through <= 2.2.1.

Analysis

Cross-site request forgery (CSRF) vulnerability in the Easy Property Listings XML/CSV Import plugin for WordPress (versions <= 2.2.1) allows attackers to perform unauthorized actions on behalf of authenticated administrators without their knowledge or consent. The vulnerability affects the import functionality and carries minimal real-world exploitation risk based on EPSS scoring (0.02%, 5th percentile), indicating low likelihood of automated exploitation despite the CSRF vector requiring no special privileges or authentication from the attacker's perspective.

Technical Context

This is a classic CSRF vulnerability (CWE-352) in a WordPress plugin that handles XML and CSV data import operations. The vulnerable component is the import functionality in Easy Property Listings, which likely accepts form submissions or API calls to process property data imports without proper anti-CSRF token validation (such as WordPress nonces). The attack exploits the stateless nature of HTTP requests by tricking an authenticated site administrator into unknowingly triggering malicious import actions through a crafted webpage or email link. The plugin's import feature processes sensitive real estate data, making CSRF attacks against authenticated administrators a potential vector for data manipulation or unauthorized bulk operations.

Affected Products

The vulnerability affects the Easy Property Listings XML/CSV Import plugin (identified by the vendor name Merv Barrett Import into Easy Property Listings) for WordPress in versions from inception through version 2.2.1 inclusive. The plugin is available through the WordPress plugin ecosystem and is identified in vulnerability databases under the package name easy-property-listings-xml-csv-import.

Remediation

Update the Easy Property Listings XML/CSV Import plugin to a version beyond 2.2.1 once available from the plugin vendor. Site administrators should navigate to the WordPress Plugins dashboard, locate the Easy Property Listings XML/CSV Import plugin, and apply the available update immediately. In the interim, restrict access to the plugin's import functionality by limiting admin account access and reducing the number of users with administrative privileges. Review WordPress security plugins or web application firewalls that can detect and block CSRF attack patterns. For detailed guidance, consult the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/easy-property-listings-xml-csv-import/vulnerability/wordpress-import-into-easy-property-listings-plugin-2-2-1-cross-site-request-forgery-csrf-vulnerability.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-62112 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy