PT-2025-47438 · WordPress · Wp Import – Ultimate Csv Xml Importer For Wordpress
Dieu Link
+1
·
Published
2025-11-19
·
Updated
2025-12-01
·
CVE-2025-13145
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
WP Import – Ultimate CSV XML Importer for WordPress versions prior to 7.33.1
Description
The WP Import – Ultimate CSV XML Importer for WordPress plugin is susceptible to PHP Object Injection due to the deserialization of untrusted data from CSV file imports. This occurs within the
import single post as csv function located in the SingleImportExport.php file. An authenticated attacker with administrator-level access or higher can inject a PHP object. If a PHP Object Injection chain is present through another installed plugin or theme, it may allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.Recommendations
Update WP Import – Ultimate CSV XML Importer for WordPress to a version newer than 7.33.1.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Import – Ultimate Csv Xml Importer For Wordpress