CVE-2025-13145
BaseFortify
Publication date: 2025-11-19
Last updated on: 2025-11-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpres | wp_import_ultimate_csv_xml_importer | 7.33.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a PHP Object Injection in the WP Import β Ultimate CSV XML Importer plugin for WordPress. It occurs because the plugin deserializes untrusted data from CSV file imports in the import_single_post_as_csv function. Authenticated users with administrator-level access or higher can exploit this to inject malicious PHP objects. If a suitable POP (Property Oriented Programming) chain exists via other plugins or themes, the attacker could delete files, access sensitive data, or execute arbitrary code.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with administrator-level access to delete arbitrary files, retrieve sensitive information, or execute arbitrary code on the affected WordPress site. This can lead to data loss, data breaches, and full compromise of the website.