CVE-2025-14478

Name of the Vulnerable Software and Affected Versions Demo Importer Plus plugin for WordPress versions up to and including 2.0.9

Description The software is susceptible to XML External Entity Injection (XXE) through the SVG file upload functionality. This allows authenticated attackers with Author-level access or higher to potentially achieve code execution in vulnerable configurations. This issue only impacts sites using PHP versions older than 8.0.

Recommendations Update the Demo Importer Plus plugin to a version newer than 2.0.9. For sites using PHP versions older than 8.0, consider alternative methods for importing demos that do not involve SVG file uploads.