CVE-2025-13066
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-08

Assigner: Wordfence

Description
The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.0.6. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-08
Generated
2026-05-07
AI Q&A
2025-12-05
EPSS Evaluated
2026-05-05
NVD
CVE-2025-13066
EUVD
EUVD-2025-201353
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress demo_importer_plus 2.0.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Demo Importer Plus plugin for WordPress up to version 2.0.6 has a vulnerability that allows authenticated users with author-level access or higher to upload arbitrary files. This happens because the plugin does not properly validate file types, specifically allowing files with double extensions to bypass checks intended to only accept WXR files. As a result, attackers can upload malicious files to the server, potentially enabling remote code execution.


How can this vulnerability impact me? :

This vulnerability can allow an attacker with author-level access or higher to upload arbitrary files to your WordPress server. This could lead to remote code execution, meaning the attacker could run malicious code on your server, potentially compromising the entire website, stealing data, defacing the site, or using the server for further attacks.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection can focus on identifying unauthorized or suspicious file uploads with double extensions bypassing file type validation in the Demo Importer Plus plugin. Since the vulnerability involves authenticated users with author-level access uploading arbitrary files, monitoring upload directories for files with suspicious double extensions (e.g., .php.jpg) or unexpected file types is recommended. Specific commands are not provided in the resources, but general approaches include scanning the WordPress upload directories for files with double extensions or unusual MIME types, and reviewing server logs for upload activity by author-level users. [2]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to update the Demo Importer Plus plugin to version 2.0.7 or later, which includes enhanced MIME type validation in the `real_mimes` function. This update restricts allowed file extensions to 'xml' and 'json' with specific filename patterns, preventing malicious double extension files from bypassing sanitization. Until the update is applied, restrict author-level user permissions if possible and monitor uploads closely. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart