CVE-2025-1913 is a vulnerability classified under CWE-502 (Deserialization of Untrusted Data) found in the Product Import Export for WooCommerce – Import Export Product CSV Suite WordPress plugin, versions up to and including 2.5.0. The flaw arises from insecure deserialization of the 'form_data' parameter, which allows an authenticated attacker with Administrator-level privileges or higher to inject a PHP object. This PHP Object Injection can lead to severe consequences if a gadget chain (POP chain) exists in other installed plugins or themes that can be leveraged to execute malicious code or perform unauthorized actions. Without such a POP chain, the vulnerability cannot be exploited to cause harm. The attack vector is network-based, requiring no user interaction but does require high privileges, limiting the attacker to those who have already compromised or have legitimate admin access. The impact includes potential full system compromise, data exfiltration, arbitrary file deletion, or code execution depending on the POP chain available. The vulnerability has a CVSS v3.1 score of 7.2, indicating high severity. No public exploits are known at this time, but the risk is significant in environments where multiple plugins/themes coexist, increasing the likelihood of a usable POP chain. The vulnerability was published on March 26, 2025, and is assigned by Wordfence. No patches are currently linked, so mitigation relies on access control and environment hardening.

For European organizations, this vulnerability poses a significant risk especially for those operating e-commerce platforms using WooCommerce with the affected plugin. If exploited, attackers with admin access could leverage this flaw to execute arbitrary PHP code, delete critical files, or steal sensitive customer and business data, severely impacting confidentiality, integrity, and availability of the affected systems. The requirement for administrator-level access reduces the risk from external attackers but raises concerns about insider threats or attackers who have already compromised admin credentials. The impact is amplified in complex WordPress environments with multiple plugins and themes, common in large European e-commerce businesses. Disruption or data breaches could lead to financial losses, reputational damage, and regulatory penalties under GDPR. The absence of known exploits currently provides a window for proactive mitigation, but the high CVSS score indicates that once a POP chain is identified, exploitation could be devastating.

1. Immediately audit all WordPress installations for the presence of the Product Import Export for WooCommerce – Import Export Product CSV Suite plugin and upgrade to a patched version once available. 2. Restrict administrator access strictly to trusted personnel and implement strong authentication mechanisms such as MFA to reduce risk of credential compromise. 3. Review all installed plugins and themes for known POP chains or vulnerabilities that could be chained with this deserialization flaw; remove or update vulnerable components. 4. Employ application-level firewalls or WordPress security plugins that can detect and block suspicious deserialization attempts or anomalous admin activities. 5. Regularly monitor logs for unusual admin actions or errors related to the 'form_data' parameter. 6. Consider isolating critical WordPress environments or using containerization to limit the blast radius of potential exploitation. 7. Educate administrators on the risks of installing untrusted plugins/themes and the importance of timely updates. 8. Backup WordPress sites and databases frequently to enable recovery in case of compromise.