CVE-2025-13066
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-13066, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-05

Last updated on: 2025-12-08

Assigner: Wordfence

Description

The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.0.6. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-05
Last Modified
2025-12-08
Generated
2026-07-07
AI Q&A
2025-12-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordpress demo_importer_plus 2.0.6

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Demo Importer Plus plugin for WordPress up to version 2.0.6 has a vulnerability that allows authenticated users with author-level access or higher to upload arbitrary files. This happens because the plugin does not properly validate file types, specifically allowing files with double extensions to bypass checks intended to only accept WXR files. As a result, attackers can upload malicious files to the server, potentially enabling remote code execution.

Impact Analysis

This vulnerability can allow an attacker with author-level access or higher to upload arbitrary files to your WordPress server. This could lead to remote code execution, meaning the attacker could run malicious code on your server, potentially compromising the entire website, stealing data, defacing the site, or using the server for further attacks.

Detection Guidance

Detection can focus on identifying unauthorized or suspicious file uploads with double extensions bypassing file type validation in the Demo Importer Plus plugin. Since the vulnerability involves authenticated users with author-level access uploading arbitrary files, monitoring upload directories for files with suspicious double extensions (e.g., .php.jpg) or unexpected file types is recommended. Specific commands are not provided in the resources, but general approaches include scanning the WordPress upload directories for files with double extensions or unusual MIME types, and reviewing server logs for upload activity by author-level users. [2]

Mitigation Strategies

The immediate mitigation step is to update the Demo Importer Plus plugin to version 2.0.7 or later, which includes enhanced MIME type validation in the `real_mimes` function. This update restricts allowed file extensions to 'xml' and 'json' with specific filename patterns, preventing malicious double extension files from bypassing sanitization. Until the update is applied, restrict author-level user permissions if possible and monitor uploads closely. [2]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13066. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart