CVE-2025-13133 identifies a CSV Injection vulnerability (CWE-1236) in the Simple User Import Export plugin for WordPress, maintained by vaniivan. The vulnerability exists in all versions up to and including 1.1.7 and is triggered via the plugin's import/export users functionality. Authenticated attackers with Administrator-level access can inject malicious formula elements into CSV files generated by the plugin. These formula elements can be interpreted by spreadsheet software such as Microsoft Excel or LibreOffice Calc when the exported CSV file is opened, potentially leading to arbitrary code execution on the local machine. The vulnerability arises from improper neutralization of formula elements in CSV files, allowing untrusted input to be embedded without sanitization or escaping. The CVSS v3.1 base score is 6.6, reflecting a medium severity with network attack vector, low attack complexity, high privileges required, no user interaction, and a scope change. While no patches or updates are currently linked, the vulnerability demands attention due to the potential for local compromise following file download and opening. The attack requires authenticated administrator access, limiting remote exploitation but increasing risk if credentials are compromised or insider threats exist. No known exploits in the wild have been reported as of the publication date (November 18, 2025).

The primary impact of CVE-2025-13133 is the potential execution of arbitrary code on the local system of users who open the maliciously crafted CSV files. This can lead to unauthorized actions such as data theft, malware installation, or further network compromise. Since the vulnerability requires administrator-level access to inject malicious content, the risk is elevated in environments where administrator credentials are exposed or shared. The integrity of exported user data can be compromised, and confidentiality may be affected if attackers embed payloads that exfiltrate data upon execution. Availability impact is also possible if the payload disrupts system operations. Organizations relying on the Simple User Import Export plugin for user management are at risk of internal compromise and lateral movement if attackers exploit this vulnerability. The scope includes all organizations using WordPress with this plugin, especially those with multiple administrators or less stringent access controls. The absence of known exploits reduces immediate risk but does not eliminate the threat, as proof-of-concept or weaponized exploits could emerge.

To mitigate CVE-2025-13133, organizations should first check for and apply any available updates or patches from the plugin vendor once released. In the absence of patches, administrators should restrict access to the import/export functionality strictly to trusted personnel and monitor administrator account usage for suspicious activity. Implement input sanitization or escaping for CSV exports by modifying the plugin code to neutralize formula characters such as '=', '+', '-', and '@' at the start of CSV fields, preventing formula injection. Educate users to open CSV files in safe environments or use spreadsheet software with formula evaluation disabled by default. Employ network segmentation and endpoint protection to limit the impact of potential local code execution. Regularly audit administrator accounts and enforce strong authentication mechanisms to reduce the risk of credential compromise. Consider disabling or replacing the plugin if mitigation is not feasible. Finally, monitor threat intelligence sources for any emerging exploits targeting this vulnerability.