CVE-2025-13145
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-13145, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-19

Last updated on: 2025-11-19

Assigner: Wordfence

Description

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the import_single_post_as_csv function within SingleImportExport.php. This makes it possible for authenticated attackers, with administrator-level access or higher, to inject a PHP object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-19
Last Modified
2025-11-19
Generated
2026-07-06
AI Q&A
2025-11-19
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordpres wp_import_ultimate_csv_xml_importer 7.33.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a PHP Object Injection in the WP Import – Ultimate CSV XML Importer plugin for WordPress. It occurs because the plugin deserializes untrusted data from CSV file imports in the import_single_post_as_csv function. Authenticated users with administrator-level access or higher can exploit this to inject malicious PHP objects. If a suitable POP (Property Oriented Programming) chain exists via other plugins or themes, the attacker could delete files, access sensitive data, or execute arbitrary code.

Impact Analysis

If exploited, this vulnerability can allow an attacker with administrator-level access to delete arbitrary files, retrieve sensitive information, or execute arbitrary code on the affected WordPress site. This can lead to data loss, data breaches, and full compromise of the website.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13145. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart