Overview
A high-severity vulnerability, identified as CVE-2025-13145, has been discovered in the WP Import – Ultimate CSV XML Importer for WordPress plugin. This vulnerability affects all versions up to and including 7.33.1. It is a PHP Object Injection vulnerability that could allow authenticated attackers with administrator-level access to inject malicious PHP objects, potentially leading to arbitrary code execution, data breaches, or file deletion.
This blog post provides a detailed analysis of the vulnerability, its potential impact, and the steps you need to take to protect your WordPress website.
Technical Details
The vulnerability stems from the deserialization of untrusted data within the import_single_post_as_csv function in the SingleImportExport.php file of the WP Import plugin. Specifically, the plugin processes CSV files during the import process without proper sanitization of the input. This allows an attacker to craft a malicious CSV file containing serialized PHP objects.
When the plugin imports this crafted CSV file, the unserialization process occurs, potentially instantiating the malicious PHP objects. If a suitable Property-Oriented Programming (POP) chain exists within the WordPress installation (through another plugin or theme), the attacker can leverage this deserialization to achieve arbitrary code execution or other malicious actions.
The vulnerable code is located around line 116 in SingleImportExport.php.
// Example of the vulnerable function (simplified)
function import_single_post_as_csv($csv_data) {
// ...
$data = unserialize($csv_data['malicious_field']); // Vulnerable line
// ...
}
This vulnerability requires administrator-level access to the WordPress dashboard, which limits the scope of potential attackers, but the impact of successful exploitation is severe.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-13145 a score of 7.2, indicating a HIGH severity vulnerability. The breakdown is as follows:
- CVSS Score: 7.2
- Vector String: (This will depend on the specific components of the score)
- Explanation: This score reflects the fact that the vulnerability requires authentication (administrator-level), but successful exploitation can lead to significant impact, including arbitrary code execution. The dependency on a POP chain reduces the exploitability to some extent, but the overall risk remains high.
Possible Impact
Successful exploitation of this vulnerability can have severe consequences, including:
- Arbitrary Code Execution: Attackers can execute arbitrary code on the server, potentially leading to complete system compromise.
- Data Breach: Sensitive data stored on the WordPress website, including user credentials and database information, could be exposed.
- File Deletion: Attackers could delete critical system files, causing website outages or irreparable damage.
- Website Defacement: Attackers could modify website content, deface the site, or inject malicious code to redirect users to phishing sites.
Mitigation or Patch Steps
- Update the Plugin: The most crucial step is to update the WP Import – Ultimate CSV XML Importer for WordPress plugin to the latest version. This vulnerability has been patched in versions released after 7.33.1.
- Verify Plugin Version: Ensure that the plugin is updated to the latest version by checking the plugin details in the WordPress admin panel.
- Restrict Access: Limit administrator-level access to only trusted users. Regularly review user roles and permissions.
- Web Application Firewall (WAF): Consider implementing a Web Application Firewall (WAF) to detect and block malicious requests targeting this vulnerability. Many WAFs have rulesets specifically designed to prevent PHP Object Injection attacks.
- Monitor Logs: Regularly monitor your WordPress website’s logs for suspicious activity, such as failed login attempts or unusual file access patterns.
