CVE-2025-13145: CWE-502 Deserialization of Untrusted Data in smackcoders WP Import – Ultimate CSV XML Importer for WordPress
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
AI Analysis
Technical Summary
CVE-2025-13145 is a deserialization vulnerability classified under CWE-502 affecting the WP Import – Ultimate CSV XML Importer plugin for WordPress. The flaw arises from the import_single_post_as_csv function in SingleImportExport.php, which deserializes data from CSV imports without proper validation or sanitization. This allows an authenticated attacker with administrator privileges to inject crafted PHP objects. The vulnerability is a PHP Object Injection (POI) issue, which can lead to remote code execution, arbitrary file deletion, or data disclosure if a suitable POP chain is present in the environment. The attack vector requires no user interaction but does require high privileges, limiting exposure to trusted users with admin access. The CVSS v3.1 score of 7.2 reflects high impact on confidentiality, integrity, and availability, with network attack vector and low attack complexity. No patches are currently linked, and no exploits are known in the wild, but the risk is significant due to the potential for full system compromise. The vulnerability highlights the dangers of insecure deserialization in WordPress plugins that handle file imports, especially when combined with complex plugin/theme ecosystems that may provide POP gadgets.
Potential Impact
For European organizations, this vulnerability poses a serious risk to WordPress-based websites, particularly those using the WP Import plugin for content or data migration. Successful exploitation can lead to full site compromise, including unauthorized data access, defacement, or service disruption. This can affect e-commerce platforms, corporate websites, and government portals relying on WordPress, potentially leading to data breaches, loss of customer trust, regulatory fines under GDPR, and operational downtime. The requirement for administrator-level access somewhat limits the attack surface but insider threats or compromised admin credentials could enable exploitation. Organizations with complex WordPress environments and multiple plugins/themes are at higher risk due to the possibility of POP chains enabling code execution. The lack of known exploits in the wild reduces immediate threat but does not eliminate future risk, especially as attackers often target popular CMS platforms in Europe.
Mitigation Recommendations
1. Immediately restrict administrator-level access to trusted personnel and enforce strong authentication mechanisms such as MFA. 2. Audit all installed plugins and themes for known POP chains or unsafe deserialization patterns to reduce exploitation vectors. 3. Disable or restrict CSV import functionality if not essential, or implement strict input validation and sanitization on imported files. 4. Monitor WordPress logs for unusual import activity or administrator actions. 5. Apply vendor patches promptly once released; in the meantime, consider temporary workarounds such as disabling the vulnerable import function or isolating the WordPress environment. 6. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious deserialization payloads. 7. Regularly back up WordPress sites and test restoration procedures to minimize impact from potential exploitation. 8. Educate administrators about the risks of importing untrusted CSV files and the importance of secure plugin management.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Poland
CVE-2025-13145: CWE-502 Deserialization of Untrusted Data in smackcoders WP Import – Ultimate CSV XML Importer for WordPress
Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
AI-Powered Analysis
Technical Analysis
CVE-2025-13145 is a deserialization vulnerability classified under CWE-502 affecting the WP Import – Ultimate CSV XML Importer plugin for WordPress. The flaw arises from the import_single_post_as_csv function in SingleImportExport.php, which deserializes data from CSV imports without proper validation or sanitization. This allows an authenticated attacker with administrator privileges to inject crafted PHP objects. The vulnerability is a PHP Object Injection (POI) issue, which can lead to remote code execution, arbitrary file deletion, or data disclosure if a suitable POP chain is present in the environment. The attack vector requires no user interaction but does require high privileges, limiting exposure to trusted users with admin access. The CVSS v3.1 score of 7.2 reflects high impact on confidentiality, integrity, and availability, with network attack vector and low attack complexity. No patches are currently linked, and no exploits are known in the wild, but the risk is significant due to the potential for full system compromise. The vulnerability highlights the dangers of insecure deserialization in WordPress plugins that handle file imports, especially when combined with complex plugin/theme ecosystems that may provide POP gadgets.
Potential Impact
For European organizations, this vulnerability poses a serious risk to WordPress-based websites, particularly those using the WP Import plugin for content or data migration. Successful exploitation can lead to full site compromise, including unauthorized data access, defacement, or service disruption. This can affect e-commerce platforms, corporate websites, and government portals relying on WordPress, potentially leading to data breaches, loss of customer trust, regulatory fines under GDPR, and operational downtime. The requirement for administrator-level access somewhat limits the attack surface but insider threats or compromised admin credentials could enable exploitation. Organizations with complex WordPress environments and multiple plugins/themes are at higher risk due to the possibility of POP chains enabling code execution. The lack of known exploits in the wild reduces immediate threat but does not eliminate future risk, especially as attackers often target popular CMS platforms in Europe.
Mitigation Recommendations
1. Immediately restrict administrator-level access to trusted personnel and enforce strong authentication mechanisms such as MFA. 2. Audit all installed plugins and themes for known POP chains or unsafe deserialization patterns to reduce exploitation vectors. 3. Disable or restrict CSV import functionality if not essential, or implement strict input validation and sanitization on imported files. 4. Monitor WordPress logs for unusual import activity or administrator actions. 5. Apply vendor patches promptly once released; in the meantime, consider temporary workarounds such as disabling the vulnerable import function or isolating the WordPress environment. 6. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious deserialization payloads. 7. Regularly back up WordPress sites and test restoration procedures to minimize impact from potential exploitation. 8. Educate administrators about the risks of importing untrusted CSV files and the importance of secure plugin management.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-13T19:07:19.403Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 691d6898a27e6d5e91bc24d2
Added to database: 11/19/2025, 6:50:00 AM
Last enriched: 11/26/2025, 8:05:08 AM
Last updated: 1/7/2026, 6:12:47 AM
Views: 61
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-14835: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in opajaap WP Photo Album Plus
HighCVE-2026-0650: CWE-306 Missing Authentication for Critical Function in OpenFlagr Flagr
CriticalCVE-2025-15474: CWE-770 Allocation of Resources Without Limits or Throttling in AuntyFey AuntyFey Smart Combination Lock
MediumCVE-2025-14468: CWE-352 Cross-Site Request Forgery (CSRF) in mohammed_kaludi AMP for WP – Accelerated Mobile Pages
MediumCVE-2025-9611: CWE-749 Exposed Dangerous Method or Function in Microsoft Playwright
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.