CVE-2025-13066
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-08

Assigner: Wordfence

Description
The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.0.6. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-08
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13066
EUVD
EUVD-2025-201353
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress demo_importer_plus 2.0.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection can focus on identifying unauthorized or suspicious file uploads with double extensions bypassing file type validation in the Demo Importer Plus plugin. Since the vulnerability involves authenticated users with author-level access uploading arbitrary files, monitoring upload directories for files with suspicious double extensions (e.g., .php.jpg) or unexpected file types is recommended. Specific commands are not provided in the resources, but general approaches include scanning the WordPress upload directories for files with double extensions or unusual MIME types, and reviewing server logs for upload activity by author-level users. [2]

Mitigation Strategies

The immediate mitigation step is to update the Demo Importer Plus plugin to version 2.0.7 or later, which includes enhanced MIME type validation in the `real_mimes` function. This update restricts allowed file extensions to 'xml' and 'json' with specific filename patterns, preventing malicious double extension files from bypassing sanitization. Until the update is applied, restrict author-level user permissions if possible and monitor uploads closely. [2]

Executive Summary

The Demo Importer Plus plugin for WordPress up to version 2.0.6 has a vulnerability that allows authenticated users with author-level access or higher to upload arbitrary files. This happens because the plugin does not properly validate file types, specifically allowing files with double extensions to bypass checks intended to only accept WXR files. As a result, attackers can upload malicious files to the server, potentially enabling remote code execution.

Impact Analysis

This vulnerability can allow an attacker with author-level access or higher to upload arbitrary files to your WordPress server. This could lead to remote code execution, meaning the attacker could run malicious code on your server, potentially compromising the entire website, stealing data, defacing the site, or using the server for further attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13066. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart