CVE-2025-13133
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-11-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | simple_user_import_export | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1236 | The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a CSV Injection in the Simple User Import Export plugin for WordPress (versions up to and including 1.1.7). It allows authenticated users with Administrator-level access or higher to insert malicious input into exported CSV files. When these CSV files are downloaded and opened on a local system with a vulnerable configuration, the embedded malicious code can be executed.
How can this vulnerability impact me? :
The vulnerability can lead to code execution on a local system when a maliciously crafted CSV file is opened. This can result in unauthorized actions, data compromise, or further system exploitation if an attacker successfully embeds harmful code in the exported CSV files.