Overview
A critical security vulnerability, identified as CVE-2025-13133, has been discovered in the Simple User Import Export plugin for WordPress. This vulnerability exposes websites using the plugin to a potential CSV Injection attack. The vulnerability affects all versions up to and including 1.1.7.
Authenticated attackers with Administrator-level access (or higher) can exploit this flaw to embed malicious code into exported CSV files. When these files are downloaded and opened on a local system with a vulnerable configuration (e.g., Microsoft Excel with default settings), the embedded code can be executed, potentially leading to a compromise of the user’s system.
Technical Details
The vulnerability resides in the ‘Import/export users’ function of the Simple User Import Export plugin. The plugin fails to properly sanitize user-controlled input during the export process. An attacker can inject specially crafted formulas (e.g., starting with ‘=’, ‘+’, ‘-‘, or ‘@’) into fields like usernames, email addresses, or other user profile data. These formulas are then included in the generated CSV file without proper escaping.
When a user opens the CSV file in a spreadsheet application like Microsoft Excel, the application interprets these injected formulas as executable code. This can allow the attacker to execute arbitrary commands on the user’s system, potentially leading to data theft, malware installation, or other malicious activities.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns this vulnerability a score of 6.6 (MEDIUM).
- CVSS Vector: This information is not provided, but generally CSV injection vulnerabilities will have a vector that reflects local user interaction.
- Explanation: The Medium severity is due to the requirement for attacker authentication with Administrator-level privileges and the need for user interaction (opening the malicious CSV file). However, the potential impact of code execution warrants serious attention.
Possible Impact
Successful exploitation of this vulnerability can have significant consequences:
- Local System Compromise: Attackers can execute arbitrary commands on the victim’s computer.
- Data Theft: Sensitive information stored on the user’s system can be stolen.
- Malware Installation: The attacker can install malware on the victim’s machine.
- Lateral Movement: In some cases, the attacker might be able to use the compromised system to gain access to other systems on the network.
Mitigation or Patch Steps
To mitigate this vulnerability, follow these steps:
- Update the Plugin: The most effective solution is to update the Simple User Import Export plugin to the latest version, if a patched version is available. Check the WordPress plugin repository for updates.
- Disable the Plugin: If an update is not yet available, temporarily disable the Simple User Import Export plugin until a patched version is released.
- Exercise Caution: Be extremely cautious when opening CSV files exported from your WordPress website, especially if you are unsure of their origin.
- Educate Users: Inform administrators and other users about the risks associated with opening CSV files from untrusted sources.
- Strengthen User Permissions: Review user roles and permissions to ensure only necessary users have Administrator-level access.
