CVE-2025-13145 is a PHP Object Injection vulnerability classified under CWE-502, found in the WP Import – Ultimate CSV XML Importer plugin for WordPress. The vulnerability arises from unsafe deserialization of untrusted data supplied via CSV file imports handled by the import_single_post_as_csv function in SingleImportExport.php. This function processes CSV files without proper validation or sanitization, allowing an attacker with administrator privileges to craft malicious serialized PHP objects. When deserialized, these objects can trigger a POP chain if other vulnerable plugins or themes are present, enabling arbitrary file deletion, sensitive data disclosure, or remote code execution. The attack vector requires no user interaction beyond authenticated access, but the attacker must have high privileges, limiting exploitation to compromised or malicious administrators. The CVSS 3.1 base score is 7.2, reflecting network attack vector, low attack complexity, high privileges required, and no user interaction. Although no public exploits are currently known, the vulnerability's presence in a widely used WordPress plugin and the potential for severe impact make it critical to address promptly. The lack of available patches at the time of disclosure increases risk for affected sites. The vulnerability highlights the dangers of deserializing untrusted input in PHP applications, especially in CMS environments with complex plugin ecosystems.

The vulnerability can severely impact affected WordPress sites by compromising confidentiality, integrity, and availability. An attacker exploiting this flaw can execute arbitrary PHP code, leading to full site takeover, data theft, or destruction of website content and files. This can result in defacement, loss of customer trust, data breaches involving sensitive user information, and potential lateral movement within hosting environments. For organizations relying on WordPress for business-critical applications, this could cause significant operational disruption and financial loss. The requirement for administrator-level access limits the attack surface but also means that insider threats or compromised admin accounts can be devastating. Additionally, the potential to chain this vulnerability with others via POP chains increases the attack complexity and impact. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once details are public. Overall, the vulnerability poses a high risk to website security and data protection.

1. Immediately restrict administrative access to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised admin accounts. 2. Disable or remove the WP Import – Ultimate CSV XML Importer plugin if it is not essential to your WordPress environment. 3. Monitor for updates from the plugin vendor and apply patches as soon as they become available. 4. Implement strict input validation and sanitization for all CSV imports, ideally by using alternative import methods that do not rely on PHP object deserialization. 5. Conduct a thorough audit of installed plugins and themes to identify and update or remove components that could provide POP chains, thereby reducing the potential for exploitation. 6. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious serialized payloads in CSV uploads. 7. Regularly back up website data and files to enable recovery in case of compromise. 8. Monitor logs for unusual administrator activity or file changes indicative of exploitation attempts. 9. Educate administrators on the risks of importing untrusted CSV files and enforce strict operational procedures around plugin usage. These steps collectively reduce the likelihood and impact of exploitation beyond generic patching advice.