PT-2025-46780 · WordPress · Wordpress+1
Tmrswrr
·
Published
2025-11-13
·
Updated
2025-11-18
·
CVE-2025-12733
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WP All Import versions up to and including 3.9.6
Description
The Import any XML, CSV or Excel File to WordPress (WP All Import) plugin for WordPress is susceptible to Remote Code Execution. This is caused by the use of
eval() on unsanitized user-supplied input within the pmxi if function located in helpers/functions.php. Authenticated attackers with import capabilities can inject and execute arbitrary PHP code on the server through crafted import templates. This could lead to remote code execution.Recommendations
Update WP All Import to a version newer than 3.9.6.
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp All Import
Wordpress