CVE-2025-13145 is a vulnerability classified under CWE-502 (Deserialization of Untrusted Data) found in the WP Import – Ultimate CSV XML Importer plugin for WordPress, maintained by smackcoders. The flaw exists in the import_single_post_as_csv function within SingleImportExport.php, which deserializes PHP objects from CSV file imports without proper validation or sanitization. This unsafe deserialization enables an attacker with administrator privileges to inject crafted PHP objects. The vulnerability is exploitable remotely over the network (AV:N) with low attack complexity (AC:L), but requires high privileges (PR:H) and no user interaction (UI:N). The scope is unchanged (S:U), and the impact is high across confidentiality, integrity, and availability (C:H/I:H/A:H). Exploitation depends on the presence of a gadget chain (POP chain) in other plugins or themes installed on the WordPress instance, which can be leveraged to execute arbitrary code, delete files, or access sensitive data. Although no known exploits are currently in the wild, the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin's functionality in importing content. The CVSS v3.1 base score is 7.2, indicating a high severity level. The vulnerability affects all versions up to and including 7.33.1, with no patch currently available at the time of publication. The vulnerability was published on November 19, 2025, and was reserved on November 13, 2025. The plugin's role in content importation makes it a critical component in many WordPress deployments, increasing the attack surface for sites that allow administrator-level users to import CSV files.

For European organizations, this vulnerability can lead to severe consequences including unauthorized disclosure of sensitive data, website defacement, loss of data integrity, and potential full system compromise via remote code execution. Organizations relying on WordPress for their web presence, e-commerce, or content management are particularly at risk. The requirement for administrator-level access limits the attack vector to insiders or compromised credentials, but once exploited, the attacker can manipulate site content, delete critical files, or implant backdoors. This can disrupt business operations, damage reputation, and lead to regulatory non-compliance under GDPR if personal data is exposed. The lack of a patch at the time of disclosure means organizations must rely on compensating controls. Given the popularity of WordPress in Europe, especially among SMEs and public sector entities, the threat is significant. Additionally, attackers could leverage this vulnerability as part of a multi-stage attack chain targeting European digital infrastructure.

1. Immediately restrict administrator-level access to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 2. Monitor and audit all CSV import activities and administrator actions within WordPress to detect suspicious behavior. 3. Temporarily disable or remove the WP Import – Ultimate CSV XML Importer plugin until a security patch is released. 4. Review and harden the WordPress environment by minimizing installed plugins and themes to reduce the availability of gadget chains necessary for exploitation. 5. Implement web application firewalls (WAF) with custom rules to detect and block suspicious deserialization payloads or unusual CSV import requests. 6. Keep WordPress core and all plugins/themes updated to the latest versions to reduce attack surface. 7. Conduct regular backups of website data and configuration to enable recovery in case of compromise. 8. Once a patch is available from smackcoders, apply it promptly and verify the fix in a staging environment before production deployment. 9. Educate administrators on the risks of importing untrusted CSV files and enforce strict validation of import sources.